Computer SW Security - Berkeley CSUA MOTD
Berkeley CSUA MOTD:Computer:SW:Security:
Results 301 - 450 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2024/12/25 [General] UID:1000 Activity:popular
12/25   

2002/7/2-3 [Reference/History, Computer/SW/Security, Politics/Domestic/President/Bush] UID:25265 Activity:nil
7/2     The Prez has lots of experience with corporate fraud:
        http://www.nytimes.com/2002/07/02/opinion/02KRUG.html
        http://www.salon.com/politics/feature/2002/07/02/bush/index_np.html?x
        \_ so? if it really ends up leading to reform, i don't care
           what he did in the past.  let's judge him by his current actions,
           not past actions.  they're bad enough.
           \_ You really think we have any real chance of seeing reform?
2002/7/1 [Computer/SW/Security] UID:25250 Activity:kinda low
6/28    I've been looking at web-based calendars. Has anyone tried/been happy
        with one of these? I noticed prospector, in particular is GPLed, which
        I like because it guarantees no ads.
        http://prospector.sourceforge.net
        http://www.localendar.com
        http:/greatwebcalendar.com/ , etc.
        I've noticed that one of these web calendars had a nasty security hole,
        is one concern.
        \_ Which one has a hole?
2002/6/29-7/1 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25240 Activity:moderate
6/28    http://www.theregister.co.uk/content/4/25940.html
        Analysis of MS Palladium scheme.  It's even worse than I'd first
        thought.  Very ugly stuff.
        \_ You expected any less?
           \_ It didn't occur to me such evil was possible but I'm not
              at all surprised it was MS that came up with it.
        \_ see also http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html
        \_ What is stopping people from just replacing the "fritz" chip
           with a FPGA that says yes to every query?
           \_ Destroying your MB because it'll be built in that way?  Or worse,
              it'll be part of the CPU in v2?
2002/6/28 [Computer/SW/Security] UID:25232 Activity:nil
6/27    Anyone successfully used the UCB campus-licensed Windows SSH
        3.1.0 client (from http://ssh.com) with Solaris 9 SSH server? It
        keeps telling me "key exchange failed" no matter what
        algorithm I choose (and this is with debugging on), but
        works with other SSH servers
        \_ Bug in Solaris 9 bundled SSH. Need to use version 3.0.0
           which is also available on http://software.berkeley.edu
2002/6/26-27 [Computer/SW/Security] UID:25205 Activity:moderate
6/26    What happened to s/key?  Is there an alternative way to get
        one-time passwords to login from a potentially insecure machine?
        \_ ask root (and / or the VP ) to recompile soda's kernel
           and turn s/key and keyinit back on
        \_ s/key still works for me.
           \_ You haven't run out of keys yet. skeyinit is turned off.
2002/6/26-27 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:25201 Activity:high
6/26    Upgrade to OpenSSH 3.4 ASAP: http://www.openssh.com/txt/iss.adv
        \_ so is 3.3 fixed too (i thought) or just better because of
           PrivilegeSeparation.
           \_ 3.3 doesn't have a fix but if you enable priv sep on 3.3,
              the exploit won't result in a remote root explot
                \_ I don't know how you run your systems but i'd wager that
                   for most people (certainly for me) any remote exploit is
                   a remote root exploit.  There are simply too many local
                   exploits to always have them all fixed.
                   \_ Agreed. However one advantage of priv sep is that even
                      if sshd falls victim to a exploit, the intruder only
                      has user level access and them must find out which
                      of your local binaries have local exploits. This
                      leaves a trail which you can use to track the intruder
                      down.
                      \_ Not really.  By the time they find a local exploit,
                         which will be about 18 seconds on a bad day, you
                         won't be tracking anything.  Once they get a local
                         shell with any account it's all over.
        \_ Thanks for the link.  I was happy to see a quick kludge in there.
           I don't have time to deal with a full upgrade for real right now.
           \_ Just so you know turning off ChallengeResponse is a hack to fix
              the one known exploit, but it isn't a fix for the whole class
              of exploits that were found and fixed by the OpenSSH team in
              3.4. Try to upgrade as soon as you can.
                \_ On my list for tonight.  I didn't want to do it remotely
                   and fuck it up and cut myself off from my server.  Thanks
                   for pointing that out.
2002/6/25-26 [Computer/SW/Security] UID:25188 Activity:moderate
6/24    OpenSSH 3.3 with Privilege Separation now available.
        http://marc.theaimsgroup.com/?l=secure-shell&m=102485397824660&w=2
        \_ and why should we care?
           \_ BIG security exploit in openssh if priv. sep. is not
              enabled and priv. sep. is available only in v 3.3
              \_ The problem has NOT been fixed in the priv. sep. openssh.
                 However, privelege separated openssh supposedly diminishes
                 the possibility of root compromisse. Keep in mind that
                 privelege separation is a new option and it does not work
                 well on many non-*BSD platforms.
              \_ ??  Got a url for the openssh problem?  I missed that one. tx
2002/6/24-25 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25180 Activity:nil
6/24    The future of computer security is Palladium:
        http://www.infoworld.com/articles/hn/xml/02/06/24/020624hnpalladium.xml
        \_ Uhm, no it isn't.  Only in BG's little brain.
2002/6/24-25 [Computer/SW/Security] UID:25178 Activity:high
6/24    I'd like to use Cygwin to manage my Redhat 7.2 box.  I can ssh in no
        prob, but when I try to open an xterm, it fails, with:
        xterm Xt error: Can't open display: server:10.0
        I can get X11 over ssh just fine from soda.  This is a stock 7.2
        install--nothing special.  Any ideas?
        \_ first did you try ssh -X
           and then have you tried ssh -v
           for verbose mode.
           \_ Yes, -X works fine, -v lists the following X11 related stuff:
           debug1: Requesting X11 forwarding with authentication spoofing.
           debug1: channel request 0: x11-req
           debug1: channel request 0: shell
           debug1: fd 5 setting TCP_NODELAY
           debug1: channel 0: open confirm rwindow 0 rmax 16384
           \_ have you installed xhost on the redhat box?
              I don't remember what rpm contains it.
              \_ yes, xhost is installed.
                 \_ "xhost +" and try again.
                    \_ tried it with no effect (BTW, thanks for this help-- I
                       really appreciate it).
        \_ Found the solution.  My ssh connection set the DISPLAY on the remote
           site to "machine:10.0" instead of "localhost:10.0".  When I fix the
           display variable to use "localhost" it works just fine.
           \_ Just had the same problem a few days ago. Another way to deal
              with this is add your machine name ("machine" above) to
              /etc/hosts with your correct IP (if it's static). Then it'll
              work as-is, without requiring a manual reset of $DISPLAY every
              time. -alexf
2002/6/21-23 [Computer/SW/Security, Computer/SW/WWW/Server] UID:25167 Activity:very high
6/21    Big bad apache hole in the wild.  Patch/upgrade now.  See http://apache.org
        or your favorite security site for details.
        \_ So they finally learned from Microshit?  "In order to gain free
           press we need to introduce security holes."
        \_ Does anyone think this vulnerability could lead to a fast spreading
           worm like  Code Red, for example?
        \_ What's the point? Apache + modules (esp. php) are full of holes.
           \_ So, don't use the modules you don't trust.
           Patch one, and there are still a hundred others that the '1337
           H4X0R5 will use to break in. Even if you patch all the modules,
           you still have all your executable content (perl cgi, ssi, php,
           servlet, jsp, etc) which is undoubtedly riddled with holes.
              \_ 1) try formatting.  2) just because there are other holes is
                 no reason not to patch this one.  3) glad you're not the admin
                 at my company.
           \_ It is possible but cracking a site by exploiting the holes
              in locally written code is much harder than exploiting a widely
              publicized and well understood vulnerability that possibly
              affects nearly every apache site out there.
           If you care about security, run publicfile.
           \_ publicfile does not support CGI scripts or any kind of server
              side programming which makes it fairly useless for lots of
              users.
        \_ Um, it's not actually that bad.  It's a DoS exploit at worst on
           many architectures.
           \_ nnnn!  go read the security alert, not msnbc.
              \_ Actually I read all three.  Plus the apache one.  Plus the
                 debian security-announce summary.  It's a DoS explot.
                 \_ Well you didn't read the one that said it's a full root
                    exploit.  Whatever, go use telnet.  Not my problem.
                 \_ At least one exploit (for openbsd) has already been posted
                    on bugtraq with intent to prove people like you wrong.
                    \_ If your OS doesn't execute data off the stack, it's
                       not exploitable (but it's still DOS).  And it's not
                       a root hole, just the user Apache runs as.  Still,
                       it's potentially bad.  -tom
                       \_ Lots of people run apache as root.  Lots of sites
                          that run apache as 'www' or whatever will also have
                          local holes if they haven't fixed this one.  Thus it
                          is highly likely that getting in through apache is
                          just one step from root.  Layers....
                          \_ I challenge you to find one person running
                             Apache as root.  -tom
                             \- the csua used to run a WEEB server on it's
                             name server. there was a bug that let you get
                             a shell running as the WEEB server uid. now it
                             turned out the WEEB server uid owned the WEEB
                             config file, so you could just changed the run-as
                             user to root and repeat the process and you would
                             have a root shell on the name server. this is
                             detailed in some comment by myself and P. Norby
                             some time ago. I dont think this is that big a
                             deal and right now the "real" denial of service
                             is all the people running around recommend things
                             like vulnerabilty people immidiately delete their
                             defaultroutes and such. --psb
2002/6/21-22 [Computer/SW/Security] UID:25164 Activity:high
6/21    Since keyinit has been disabled and ssh doesn't work for me (behind
        company firewall/proxy), what other options do I have to login to
        csua?  Already tried ssh with http-tunnel and socks2http.  -allenchu
        \_ Find someone who'll let you telnet into their shell account
           and ssh in from there. -Someone who ran out of keys too.
           \_ People like you are simply irresponsible bastards. You know
              the difference between telnet and ssh but you're still insisting
              on using telnet, potentially compromissing not only the security
              of your personal account on both machines but also compromissing
              the host security of both machines in general. Lots of root
              breakins start with sniffed passwords. But you, of course, don't
              give a flying f**k to this because you're probably not the one
              who will end up fixing the problems later.
              \_ If the company's firewall didn't block port 22,
                 he would of use SSH.  Just because you are an irresponsible
                 idoit doesn't mean everyone else is.
                 \_ that's not an excuse for using telnet and
                    jeopardazing the security of the entire machine. I am
                    also surprised that a company that filters outgoing
                    ssh still allows outgoing telnet.
                    \_ I doubt there is one.  It's too stupid to comprehend.
        \_ How did you post your question without logging in?
           \_ Because I have ssh at home. Also have a few keys left.
        \_ can you ssh to port 80 on scotch.csua
           \_ Thank you.  This might be it.  Of couse this assumes the
              lovely M$ proxy that prevented http-tunnel to work will
              not do the same to this solution.  -op
        \_ sorry, I haven't been paying attention: why is keyinit disabled
           anyway?
           \_  The answer I got was some sort of security hole w/ skey.
2002/6/21 [Computer/Networking, Computer/SW/Security] UID:25163 Activity:moderate
6/20  I'm so confused.  Isn't 192.168.0.0 a non-routing network?   ...
        \_ http://CNC.net should not be routing these packets. Neither should
           XO really, but they might have an agreement with CNC that
           makes it hard for them to filter traffic.
        \_ Welcome to the world of routing.  Sadly, certain Network Operators
           are, shall we say, less than clued.
        \_ A lot of providers use RFC1918 addresses for 'private' interfaces;
           frame relay clouds are a good example of this.  They're not
           supposed to be routed, but rather just used within a given
           cloud or circuit for routers to be able to contact each other.
           Sometimes routing information about these slips out, when someone
           exports a default route, or doesn't filter correctly (correct
           me if I'm wrong, but aren't some protocols, like OSPF, a pain
           to filter individual routes/networks with?) so people with
           different providers will see these addresses as "existing"
           in various places.  Shouldn't do any harm, it's just not very
           clean.  -John
           \_ still, one shouldn't be using RFC1918 addresses even for
               transit links, as it will get important ICMP messages generated
               by the routes filtered out.  Things like unreachables and
               fragmentation-needed stuff. Its sloppy/bad practice. -ERic
               \- terminal administrative domains such as lbl.gov put on a
                  lot of filters like this, but for some reason, various
                  transit domains like esnet are refusing to do so ... they
                  are saying there are some performance issues ... we didnt
                  argue much or demand to see the evidence but it is possible
                  there is sort of a reason, i.e. even if the overhead is
                  small, the fraction of these packets is vanishingly small
                  --psb
2024/12/25 [General] UID:1000 Activity:popular
12/25   

2002/6/19-20 [Computer/SW/Security] UID:25150 Activity:kinda low
6/19    Is there a free program that does scp on window 95?  (This is for a
        machine at work, over which I have no control.)
        \_ I don't know if it works on Win95, but it works on Win2k and
           Win98:  putty and pscp.  Do a google search.
        \_ As the above person said, pscp works.  Also try WinSCP.  Has some
           issues with its interface (at least the version I have), but does
           the job.
        \_ The link is: http://winscp.vse.cz/download2.php?file=WinSCP2.exe
        \_ the scp (and ssh) programs for cygwin work pretty well. I realize
           that this is overkill for this problem, but you may find cygwin
           generally useful as well.
2002/6/13 [Computer/SW/Security] UID:25085 Activity:high
6/12    What's the ANSI escape sequence for setting colors 8-15?
        \_ colors 8-15 are just high-intensity versions of colors 0-7.
           to set the high-intensity attribute, use {ESC}[1m
           see also: http://perso.efrei.fr/~marnier/docs/ansi-esc.htm
           --jameslin
           \_ Hm... interesting.  The reason behind this question is that
              colors 0-7 in SSH Secure Shell are very dark.  I'd like to
              use termcap/terminfo to trick programs to using colors
              8-15 (which look normal).  I've tried using Esc[1m, but I
              get the brighter color along with a bold typeface.  I'd like
              to get just the brighter color but not the bold typeface.
              Ideas?
              \_ don't use colorls?
              \_ Unless you can change something in your terminal program's
                 options itself, you're fucked. Try another ssh client.
                 PuTTY is good. Teraterm is usable but doesn't do
                 ansi colors iirc.
                 \_ Teraterm actually does.
                 \_ Putty is nice when you need something fast for a one shot
                    but for daily use I prefer terateam which doesn't feel like
                    someone's HS project.
                    \_ I'm curious -- name one thing that teraterm does better
                       than the current stable version of putty. I've used all
                       3 (ssh.com client, tterm pro, putty) for quite a while
                       and now just use putty because it's acted up much less
                       often than the others.
                       \_ For starters, putty is the only ssh client that will
                          spontaneously drop my connection all day every day.
                          It's not an idle time issue, it'll do it in the
                          middle of typing.  There were a few other personal
                          preference differences but I consider disconnects a
                          serious issue.
                          \_ Strange; I've never had that happen over several
                             months of using putty (unless the network went
                             out with it). Are you sure it's not a problem
                             with your server's sshd (which the other clients
                             may be more tolerant toward)?
2002/6/10-11 [Computer/Domains, Computer/SW/Security] UID:25057 Activity:kinda low
6/9     I have a geocities website and my own domainname. Is there any free
        service to do DNS+Url Redirection of my domain to geocities? I couldn't
        figure out if http://freedns.com is what I needed. -fuless, not faithless
        \_ some domain registrars will do redirects for you as part of the
           service.  shop around.  maybe your own already does this.
        \_ I ended up using http://afraid.org. --opp
2002/6/9-10 [Computer/SW/Security, Computer/SW/OS/Windows] UID:25049 Activity:high
6/9     What is up with the logos of http://msdn.microsoft.com and http://amazon.com being
        identical? Same font, same arrow.
        \_ what about Lucent and Zachary's Pizza?
        \_ what about http://chickswithdicks.com and yermom?
        \_ Obviously, they are both part of a vast Washington state conspiracy
           to brainwash the rest of the country.
           \_ obYerMomAndMyDick
2002/6/7-8 [Computer/SW/Security] UID:25023 Activity:high
6/6     imap via ssl on csua is down: ports 585 and 993 both refuse connection.
        Why does csua require ssh when we are only allowed to use nonsecure
        imap?
        \_ You could always do IMAP over SSH like what I do.
           ssh -g -l jondoe -L 20143:csua.berkeley.edu:143 http://csua.berkeley.edu
           then connect to localhost:20143 from your client. -jeff
           \_ Works great, thanks so much for the great tip!!!  Now I
              don't have to badger our sysadmins about this any more, they
              have resisted installing imap/ssl...
        \_ You are a moron.
           \_ well, no.  this has been happening all too often lately.
              root has been pinged about putting ssl+imap into inetd, but
              as yet nothing has been done about it.  They could get the
              complaints and the security concern out of their hair
              very quickly...  Granted, the person could ssh tunnel
              themselves, but changing your config when it's soda's config
              that's broken is a time sink.
              \_ Or they could *GASP* read mail on soda!
                 \_ If we offer a service, we should do at least the bare
                    minimum to keep it running.  it's not that hard to put
                    it into inetd...
                 \_ that's not the way of the true alumni!  POP YER MAIL!
                    \_ Fuck off, paolo.
                       \_ That's no way to talk to an Dept Honored Officer!
                          \_ Heh.
        \_ IMAP/SSL is now available.
           \_ how about POP/SSL?
           \_ how about SSH/SSL??  I want my secure link to be totally secure!
2002/6/6-7 [Computer/SW/Security, Computer/Companies/Yahoo] UID:25011 Activity:nil
6/5     Where is Yahoo options do I opt out of the mailing list?
        \_ http://subscribe.yahoo.com/showaccount also
           http://privacy.yahoo.com/privacy/us/pixels/details.html
2002/5/27 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:24952 Activity:nil
5/26    Congrats on your award for service to the CS department through the
        CSUA paolo!
2002/5/25-26 [Computer/SW/Security] UID:24945 Activity:high
5/25    Which of the following is safer: ssh login to a remote host and read
        mail there use a command-line client or access my mails using an imap
        capable local client?  -- crypto/protocol novice
        \_Using encrypted email. Otherwise, it just a matter of where on the
          network your attacker is sitting.
          \_ Or maybe they're reading your keys and monitor from a van parked
             across the street.  It doesn't matter.  It's just the dude's
             personal mail.  No one cares what's in it.
             \_ Look, I am not worried about individual emails get
                sniffed on its way.  I just want to have a reasonably
                secure way to check my emails from a long distance or
                a continent away without compromising my password etc.
                a continent away without compromising my password or
                having personal info. in my mails systematically collected
                in some database when they pass through rogue networks.
                \_ Ssh in and use your favorite local client.
2002/5/23-24 [Computer/SW/Security] UID:24921 Activity:moderate
5/22    Does anyone use Dragon? I currently use a service that charges $.10
        for transcription and am thinking about switching to Dragon. They
        have standard, preferred, and professional, but it is unclear what you
        get for $100 and what you get for $700.
        \_ Yes, I mean Dragon Naturally Speaking 6.0.
        \_ You mean Dragon the PC software?
           \_ no, the big reptilian thing that breaths fire.
              \_ That was practically a gimme but funny anyway. Thanks!
2002/5/8-9 [Computer/SW/Security] UID:24756 Activity:low
5/8     I'm thinking about using a block cipher to encrypt pkts
        in my application, but I'm running into a problems wtr
        transmitting/receiving the encrypted pkts. Here is
        what I want to do (given values are secret key K, plain
        text PT):
        1. Derive K1 (encryption key) from K and a random nonce
           N1 and derive K2 (HMAC key) from K and a random nonce N2
        2. Encrypt PT and H(PT) using K1: e = E(H(PT)|PT,K1)
        3. Calc. HMAC of the e: h = HMAC(e,K2)
        4. Transmit N1|N2|e|h (this would be a fixed size pkt)
        5. Recv. N1,N2,e,h
        6. Derive K1 and K2 from K using recv'd N1 and N2
        7. If HMAC(e) = h, then decrypt e: D(e,K2) = H(PT)|PT
        8. If the decrypted H(PT) matches a computes H(PT)
           return PT.
        What I don't know how to do is recover from the following
        situations:
        * HMAC(e) of the recv'ed e != h
        * Decrypted H(PT) != computed H(PT)
        Since it it unlikely that the pkt was corrupted by trans.
        errors (I'm using TCP), the only way that this could happen
        is because of an active attacker. Is there any point in
        asking for a retransmit on the recv side if an active
        attacker is present?
        \_ post this to crypto@csua, you'll get better results than the
           motd.  Motd is full of dropouts and sysadmins.
           \_ Hi paolo. You're delusional again. Go back to bed.
              \_ who is this paolo?
                 \_ He was president for a long time, then he quit logging in.
2002/5/4-6 [Computer/SW/Security, Computer/Theory] UID:24704 Activity:high
5/3     If I want to learn about error correction, compression, and cryto,
        which class would I take?                            crypto? _/
        \_ Info theory at Stanford.  Berkeley does not teach ugrad info theory.
        \_ Information theory.  Read Thomas & Cover.  There is an information
           theory class using that book at Stanford.  Berkeley does not
           teach information theory to undergrads.
        \_ 170 talks about the basics of both, 150 has some error correction
           too.  specifics?
        \_ Crypto classes: 261 (well, security), 276 (protocol-level), and this
           semester Wagner taught a 294 which was block-cypher level. Even
           though I've managed not to pay any attention to 174, I remember
           somebody saying something about entropy, so likely has to do
           something with compression and/or random number generation.
           -chialea
                \_ "managed not to pay any attention to 174".  Okey dokey, now
                   who was making noise before about the best Cal ugrads not
                   getting into Cal grad school?
                   \_ Not best.  Schmooziest.  Big difference.
                   \_ if you were as good as chialea, wouldn't you be bored
                      by 174? --chialea #1 fan
        \_ several EE courses discuss compression (the multimedial related
           signal/image processing courses)
        \_ depending on the prof, Math 114 often covers coding theory, and
           error-correcting codes.              - rory
2002/5/3-5 [Computer/SW/Languages/Java, Computer/SW/Apps/Media, Computer/SW/Security] UID:24700 Activity:nil
5/3     Finally we know who was the first borg, it was Prof. Steve
        Mann of the University of Toronto:
        http://chronicle.com/free/v48/i34/34a03101.htm
        \_ He's saying he had a wearable video display 20 years ago?
           \_ He's saying he was a freak 20 years ago just like now.
2002/4/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:24568 Activity:moderate
4/24    Are you getting bounces from http://mail.yahoo.com?  I tried responding
        to people, and I'm getting bounces.  They are not spammers.
        I respond a few seconds after they email me.
        \_ so it has begun
        \_ Yes. It's been sporadic for a day or so.
        \_ Well did you pay your Yahoo E-Delivery Fee?  You can only send
           mail to Yahoo users if you're a paying customer.
2002/4/23-24 [Computer/SW/Security] UID:24543 Activity:very high
4/23    Security question: assuming i have a "good" /dev/random and I
        read from /dev/random from 00:00 to 00:01 and save that in a file,
        will take make it trivial to attack someome who uses /dev/random on
        the same machine to "seed" a random passwd generator at 00:00:30?
        Or does each caller some how whiten it with his own environment?
        \_ Or say I read in 10k bytes from /dev/random or /dev/urandom
           at 00:00 and I start and another copy of the same process "at
           the same time", will I get overlapping random streams?
           at 00:00, which takes 2 seconds.  I start and another copy of
           the same process a couple of millisenconds after 00:00,
           will I get overlapping or interleaved random streams?
         \_ no and no, if it is a "good" /dev/random
            \_ So what prevents two people "simultaneously" reading from
               /dev/random from letting the same stream?
               \_ The driver probably has a locking mechanism in the
                  read entry point to prevent this:
                  ep_read { lock ; copy bit to userspace ; unlock ; }
2002/4/22 [Computer/SW/Security] UID:24532 Activity:high
4/21    MOTD Poll. How many people use pgp (or gnupg) on soda?
        PGP:
        GnuPG: ...
        Neither, Because No One Cares What's In Your Email: ..
        I'm Not That Paranoid: ..
        The Feds Already Cracked It Or We Wouldn't Be Allowed To Use It: .
        the NSA paid for my fucking harddrive anyway so there's no point: .
        \_ and if anyone who got *ANY* sort of PGP filter worked with
           with pine, let me know.             -kngharv
           \_ I tried. How I tried. I believe the problem is actually with
              soda's installation of pgp. I bought the bullet and started
              soda's installation of pgp. I bit the bullet and started
              using mutt. I can't say I'm an enthusiast but it does handle
              gpg better. I never did get pgp working. --ulysses
           \_ I couldn't get it working in pine. I gave up and switched
              to mh-e and mailcrypt.
        \_ Follow up poll. Do you:
           sign email: .
           sign news:
           sign + encrypt email:
           sign + encrypt news:
2002/3/28 [Computer/SW/Security] UID:24260 Activity:high
3/28    What exactly are the "Digital IDs" that Outlook Express blabs about
        when I click on "Security" in the program? ... specifcally, how do
        these relate to PGP encryption?
        \_ No, it's created by combining your SS#, DOB, Mother's maiden name,
           and CDL in a complex alogorythm that involves concatenation and
           rot13.  This cryptographic innovation brought to you by Microsoft!
           The ecommerce version has your bank account and pin in there, too,
           for your convenience.
2002/3/25-26 [Computer/SW/Security] UID:24222 Activity:moderate
3/25    Has anyone heard about the CBDTPA?
        http://www.politechbot.com/docs/cbdtpa/hollings.s2048.032102.html
        It will be a disaster if this thing gets passed.
        \_ No one has ever heard of this or the SSSCA before.
           \_ dude! i just found the greatest web site! you should
              check it out: http://slashdot.org
              \_ cool thanks!  its looks really low end and new are they
                 working on improving it at all?  it might stand a chance!
                 "community" $ell$!!
2002/3/23-24 [Computer/SW/Security] UID:24212 Activity:nil
3/23    MacOS X's Preview bypasses PDF "security":
        http://www.macuser.co.uk/macsurfer/php3/openframe.php3?page=/newnews/newsarticle.php3?id=1854
        Why is it that Adobe's attempts at "security" are always so damn
        stupid?
2002/3/15 [Computer/SW/Security] UID:24123 Activity:high
3/15    i want to take this opportunity to publicly insult newark
        electronics customer service.  they suck donkey balls. their web
        site is lame was programmed by yermom. go digikey or allied!
        \_ This is the motd, not a customer satisfaction line. Your complaint
           is entirely too banal and does not once mention yermom.
2002/3/15 [Computer/SW/Security] UID:24122 Activity:nil
3/15    Any one uses pgp4pine and gpg?  for some reason, my send filter
        worked, but display filter (for recieving encrypted / signed
        email) does not.  What really puzzle me, is that when I
        open the file contains pgp (uses _BEGINNING("-----USE  PGP")),
        my default editor (in this case, jove) launched, and has an
        error message in jove saying: "invalid switch -c"  anyone
        has any clue?                           -kngharv
2002/3/14 [Computer/SW/Security] UID:24112 Activity:moderate
3/14    http://www.nytimes.com/2002/03/14/technology/circuits/14MANN.html
        \_ "He is now undergoing tests to determine whether his brain has
            been affected by the sudden detachment from the technology."
2002/3/13 [Computer/SW/Security] UID:24092 Activity:high
3/12    sshd has got vulnerabilities, fixes, and potential future
        vulnerabilities. If I TCP wrap and use hosts.allow/deny for sshd
        and other apps, so only listed hosts can connect, does that prevent
        intruders from exploiting future holes?
        That is, as long as it's TCP-wrapped or restricted by hosts.* files,
        even if I was running an exploitable version of sshd, nobody can
        break in via sshd, true?
        Same with all inetd.conf daemons, right? I only run one.
        (This assumes the hosts in my hosts.allow file are secure)
        \_ Here is a thought. Run sshd on a high number port as sshd rather
           than root. Then use your fw/nat/pat box redir 22 to the high
           number port. This way even if there is a breakin, they don't
           get root (assuming root can't login via ssh).
        \_ Assuming no holes in tcpwrappers, probably.  ssh uses libwrap,
           which is a little different than being wrapped in inetd.conf,
           and possibly is less secure.  -tom
        \_ why dont you just upgrade/patch ssh?
           \_ "potential future vulnerabilities", i.e. undiscovered bugs.
              \_ well then, why dont you jsut remove ssh.  even safer,
                 unplug your machine from the net.  Nothing safer from network
                 attacks than an airwall.
                 \_ You're an idiot.  -tom
                    \_ No s/he has a point.  If the OP is so afraid of being on
                       the net that they want to be 'safe' from the future,
                       they're on the wrong net.  They need to power down and
                       idiot." because that requires no thought or effort.
                       go read a book in a park if they want that level of
                       safety.  No one can protect your net from unknown future
                       bugs.  If it was that easy everyone would be doing it.
                       Of course it's much easier to just post "You're an
                       idiot." because that requires no thought or effort. -i2
                        \_ Oh, and posting "disconnect from the net if you
                           want to feel safe" requires effort?  Guess what--
                           you're an idiot, too.  -tom
                           \_ i don't give a rats ass about this thread,
                              i'm just going to point out that tom has
                              proven himself to be a total idiot about
                              a hundred times over on the motd.
                              \_ Does that include his anonymous postings?
                           \_ clearly you're dead to sarcasm.
                              \_ "Sarcasm is hard!  Let's go shopping!"
                              \_  The post above by "i2" is not sarcasm. If you
                                  are i2 then you are a liar, if you are not
                                  then, Guess what -- -!tom
                                  \_ Wow... let it go. Time to move on.  Try
                                     Prozac or Ritalin or something.
        \_ IP Spoofing isn't that hard and you will also need to ensure
           all of the hosts in your list are never compromised. If you are
           concerned about security you need to set up your network in
           a manner that is secure.
        \_ Isn't the known hole in ssh quite hard to exploit?
           \_ Yes, and that too only if you have a local account
              with a valid passwd and shell.
2002/3/8-10 [Computer/SW/Security] UID:24063 Activity:nil
3/7     Root people: http://www.pine.nl/advisories/pine-cert-20020301.html
        Allowing local users to gain root via openssh.
        \_ Root people, New York and California
           Root people, I was born on Jupiter
        \_ Ever heard of e-mail?
           \_ Like they read it?  Like no one else here runs anything and
              might need to know this, too?  Fuck off.
2002/3/1 [Computer/SW/Security] UID:24005 Activity:nil
2/28    Todd Solondz speaks! Saturday, Wheeler. 1 free ticket for all
        Cal students w/ Student ID at the Zellerbach Box Office.
        Would anyone in the CSUA be interested in possibly recording
        this (if possible) and hosting it on the web somewhere? I'm
        willing to help but don't have access to many of the needed
        resources.              - rory
        \_ who is todd solondz?
           \_ Isn't he the kid in Mask with Cher?
              \_ Eric Stoltz. :)
              \_ Sadly, I think that kid is dead. ...wonder if he
                 ever made it to Katmandu or wherever.
           \_ Indie movie director.
           \_ http://us.imdb.com/Name?Solondz,+Todd
2002/2/26-27 [Computer/SW/Security] UID:23973 Activity:nil
2/25    <DEAD>www.bsdi.com/date<DEAD> used to have a small gif showing where
        the sun was currently shining. Anybody know where I can find that
        image somewhere else?
        \_http://www.fourmilab.ch/cgi-bin/uncgi/Earth/action?opt=-p gets you
          a large image of that, plus access to a bunch of other cool stuff.
          \_ this is cool.
2002/2/25-26 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:23970 Activity:high
2/25    Is there anyone out who understands the NT security API? All I'm
        trying to do is set permissions on a directory: Everyone group,
        full control, inheritable by child objects and containers. Then I
        need to know how to create files so that they don't override the
        parent ACL. Should they have a NULL SD, or a default SD with a NULL
        DACL?

        What I'm doing now is setting security on every file create and
        copy, which is error prone. CopyFile doesn't copy the SD, so I do
        SetNamedSecurityInfo(DACL_SECURITY_INFORMATION|
        PROTECTED_DACL_SECURITY_INFORMATION) on the new file. It would be
        better if it just obeyed the parent directory settings.  -sky
        \_ I know how to do the similar on Solaris on but not NT. Sorry.
           In Solaris I set the parent directories ACL and mask and then all
           children (both files & directories) inherit ACL. At least when
           you do commands like cp/cat/vi. Okay, so it's not going thru the
           API so it's not similar thing. There are some oddities when on
           older versions of Veritas products though. Are you using Veritas?
        \_ Apparently no one understands the NT security API.  What I _do_
           know is it has nothing to do with the way Veritas or Solaris work.
2002/2/25 [Computer/SW/Security] UID:23969 Activity:moderate
2/25    I need to give a user console X access but no remote login access
        of any kind (translation: secure location, but a bad password).
        Other users need to have remote access.  Setup is kde/freebsd.
        What's the easiest way to do this?
        \_sshd has allowuser/denyuser allowgroup/denygroup useful for
                an ftp-only account -dwc
           \_ Perfect, thank you.
2002/2/22 [Computer/SW/Security, Computer/SW/Unix] UID:23943 Activity:very high
2/21    My moronic boss asked me to write a batch file to auomate a telnet
        session and one requirement is it should not ask user for the
        password.  How do I kindly tell him that he is an idiot?
        \_ setup ssh with passwordless public key or host-based authentication,
           symlink telnet to ssh and let him believe that the users are using
           telnet ;p
           \_ The batch file will be placed in hundreds of Windows 98
              machine's at a client site; none of these machines have ssh.
              How do I tell him off?  I told him it can't be done and he
              insisted that it can be done.
              \_ Why are you still even working there? I can't imagine
                 working in a place with a boss that stupid and an OS
                 that crappy.
                 \_ This isn't 1998.
              \_ Include ssh along with the batch file. --dim
        \_ He's a moron, true, but you've done your duty by telling him so, now
           it is your job to make it work.  I suggest a telnetd that auto-auths
           anyone with no password.  Yes, this is frightfully stupid, etc, etc,
           but unless you want to polish your resume, swallow the bile and just
           do it.  Now is not a good time to get fired.  Make sure you have it
           documented that this is insecure and you told them so but were told
           to do it anyway.  You're then free from serious fallout.  C.Y.A.
        \_ I agree with the SSH suggestion. However, if you still need to
           use telnet, you can embed a known password into the batch script.
           You need to telnet to the same account, though. Or maybe have
           the user save the password somewhere, but not ask on every
           use.
        \_ Create a server on a random port that does what he wants and have
                your script telnet to that port.
        \_ write a telnet program that automates the password and ship
           it with your batch file.  And document it that it's insecure.
        \_ Upgrade windows. Realize that even windows has better tools
           than telnet for running remote batch jobs.
        \_ Whatever you do ignore the idiots here who give the 1990's dotcom
           answer of "oh just quit!".  Find a way to do the project and do it.
           Document the insecurity and the specs and forget about it.  Your job
           is more important than religion.
        \_ maybe he's talking about telnet -F option with Kerberos V5
           authentication being used.
        \_ acct with no passwd?
2002/2/20-21 [Computer/SW/Security] UID:23926 Activity:high
2/20    Quoting from instructions on how to send a Sony laptop in for
        non-warranty service.  They fuck you so fantastically hard it's
        Awesome!
        >Should you choose to send the system for service, you will be
        >responsible for the following:
         ...
        >d. You MUST provide proper documentation with your shipment;
        >   - Name, Return Shipping Address (no PO boxes),
        >   - Day and Evening Phone Numbers
        >   - Detailed Errors and symptoms
        >   - Method of payment (MC, VISA, AMEX, DISCOVER, Money Orders
        >      and Checks (no starters)
        >   - Written letter authorizing charges up to $700.   <======= Rad!
         ...
        >NOTE: There is a minimum $25 estimate fee and a $35 return shipping
        >fee. The estimate charge will be waived if the repairs are
        >performed at the Fremont facility. You will be notified of, and
        >must approve the estimate prior to the repair. Service estimates
        >are not available through email. The diagnosis of hardware
        >service issues cannot be handled via e-mail. The system must be
        >shipped in prior to receiving a service estimate quote.
        \_ you are getting a Dell dude!
        \_ we know you're supposed to get a macintosh.
2002/2/20 [Computer/SW/P2P, Computer/SW/Security] UID:23921 Activity:high
2/19    Tom posts an intelligent comment on usenet:
        http://groups.google.com/groups?hl=en&selm=a4u5df%241uvv%241%40agate.berkeley.edu
        \_ Charging is one possibility except then you get into the problem
           of exactly who to charge.  Do you charge the student assigned to a
           workstation?  Ok, another user logs in from another local machine
           and uses the other student's machine for external access.  Do you
           charge the whole department or sub-unit and "let God sort it out"?
           That just means rich departments stay on the net and poorer ones
           take the net away from most of their users.  You can't charge by
           IP address because IP != unique user and packets don't have user
           names on them.  There's still no answer short of simply cutting off
           a lot of people from external net access and I don't think anyone
           wants that.
           \_ "tragedy of the commons" problems usually have no easy solution.
              The issue of access to national parks is a good example; you
              can't restrict access to Yosemite Valley in a way that's
              pleasing and fair, but you have to restrict access if you want
              Yosemite Valley to retain its value.  At some point you have
              to make some decisions about tradeoffs.  A campus phone isn't
              equivalent to a unique user, either, but we manage to bill
              people for phone service.  -tom
              \_ I don't have a problem with the basic concept of billing for
                 usage but it isn't the same as phones.  Most people aren't on
                 the phone all day.  Most aren't making LD calls.  And it is a
                 bit difficult to login to your phone from my desk without your
                 knowledge and rack up a huge bill to 976-hotsex.  $300 in
                 calls on my phone to my office mate's mother in Tokyo is easy
                 to track down and bill properly.  With the technology at hand
                 I only see raising bandwidth or cutting a lot of people off
                 from the public net.  I don't see the latter as a good choice
                 for a research/educational institution.  It also wouldn't fly
                 politically.
                        \- i think this is naive.
                 \_ How are you planning to pay for this increased bandwidth?
                 \_ I don't think anyone wants to cut people off the net,
                    but providing a certain amount of "free" service, and
                    charging if you go over a certain amount of traffic, is
                    probably a tenable model.  Buying bandwidth indefinitely
                    so kids can fill it up with more kazaa is untenable. -tom
                    \_Just raise tuiton. Make net access a line item that
                    people can elect not to pay for if they don't need it.
                        \_ "Every complex problem has a solution that's
                            simple, elegant, and won't work."  -tom
                            \_ isn that ken lindahl's or msinatra's quote?
                               \- Why doesnt "disallow P2P except on certain
                               subnets/via prior arragement" [say for people
                               using gnutella for collaboration or maybe some-
                               body in cs doing something researchy] solve the
                               problem as long as someone in the dorms can
                               get their own isp access [i am not sure if this
                               is possible]. are students on the dormnet
                               allowed to run WEEB servers? yes, a lot of the
                               http is garbage but you have to attack what is
                               viable and cost-effective. the comment about
                               running the p2p server on port 80 to "hide" is
                               not a real issue. at least with napster,
                               gnutella, kazza, we can detect it on any port
                               [although not in real time, although that doesnt
                               seem important]. Also, the TotC comparison isnt
                               quite right since the Commons is a natural
                               endowment while bandwidth is sort of a "weakly-
                               rival" good paid for by somebody. Say I build a
                               lighthouse for my shipping company along my
                               shipping lane. I dont care if some people use
                               my lighthouses, however if this makes for "my
                               shipping lanes" too crowded for me to use,
                               well, i'd be better off switching technologies.
                               it seems like if you throttled the dormnet
                               traffic onto the routed internet but allowed
                               significant bandwidth to campus, people could
                               do their school work. [i assume most of the
                               p2p sharing isnt local]. --psb
                               [the lighthouse example is a little off because
                               it is not a divisible but a binary good but that
                               wasnt the point i was getting at. someone does
                               own the bandwidth].
                                \_ dorm traffic is already handled under
                                   a separate cap.  You can do things to
                                   discourage P2P sharing, but that only
                                   solves 25% of your problem, and the
                                   more you discourage it, the more incentive
                                   there is to find ways around it.  -tom
        \_ MOTD WANKERY!  None of you people are in position to do anything.
           \_ actually, I am.  -tom
             \_ A chill falls across the room...
           \_ wanking is precisely what they are in the position to do.
2002/2/13-14 [Computer/SW/Security, Computer/SW/Unix] UID:23861 Activity:high 54%like:23860
2/13    Each time I login, I would like to see my "Last Login" info, but
        not the motd. How do I do this?
        \_ Edit the .login file in your home directory. If you still see
           the motd scroll by, create a file called ".hushlogin" in your
           homedir (`touch .hushlogin` will do).
            \_ Right, but with .hushlogin I don't see my "Last Login"
               I can't seem to quell only the motd.  Can I set something
               like "no-motd" in my .login?  Also, my "Last Login" info
               gets shoved off the screen before I get a chance to read it.
               Why is that?
               Why is that? -brett (thanks & sorry)
               \_ Sign your name and make ur .login public so we can
                  help you.  Perhaps you have a 'clear' command in it.
                    \_ Okay.
2002/2/13 [Computer/SW/Unix, Computer/SW/Security] UID:23860 Activity:nil 54%like:23861
2/13    I want to see my "Last Login" info, but not the motd, each
        time I login. How do I configure this?
2002/2/12-13 [Computer/Domains, Computer/SW/Security, Computer/HW] UID:23850 Activity:high
2/12    Is there a good way to find all the HOSTS in an nis domain, assuming
        you have access to master and slave servers?  It would be better if
        there was a log file to parse, but I can dump network traffic too.
        \_ ypcat passwd
        \_ ypcat hosts
           \_ That doesn't do anything useful.
              \- maybe "snoop rpc ypserv" --psb
2002/2/11 [Computer/SW/Security, Computer/SW/Unix] UID:23833 Activity:high
2/10    can some root type make install the Word file reader wv port?  thanks
        \_ Done.  --some root type
           \- Where do you get this software  ?
              \_ the joy of /usr/ports/ on FreeBSD
              \_ http://www.wvWare.com
2002/2/7-8 [Computer/SW/Security] UID:23806 Activity:high
2/7     An attack on the SSHv2 Protocol (for those who don't follow
        sci.crypt):
        http://groups.google.com/groups?hl=en&group=sci.crypt&selm=MPG.16cb6c26ff1c3931989687%40chicago.usenetserver.com
        \_ The thing about all these newer 'attacks' is they all require the
           man in the middle to have all sorts of access you can't expect a
           typical hacker to get.  Anyone who has the warrant or the skill to
           insert themself into my ssh2 datastream will probably find it
           easier to hack straight into the server or just get a warrant to
           put a van outside my building and 'listen in' on my keyboard and
           monitor through the walls.  I'm not losing sleep over this one.
           \_ Yes it is theoretical, but the point is that it could be more
              secure. IPSec for example does not have the problem.
2002/2/5-6 [Computer/SW/Security] UID:23789 Activity:nil
2/5     When I try to PGP encrypt outgoing messages in conjunction with mutt,
        I get several screens of hex numbers and then a fault notification.
        Does anyone have mutt + PGP working on soda? Can I get a look at your
        muttrc?
        [ reformatted - motd formatting daemon ]
2002/2/2 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23750 Activity:nil
2/1     Idiots Dos the World Economic Forum website.  Claim some sort of
        bizarre victory.
        http://www.washingtonpost.com/wp-dyn/articles/A10521-2002Feb1.html
        \_ See next motd topic.
2002/1/31 [Computer/SW/Security] UID:23732 Activity:high
1/31    I used to get "You have mail." or "You have new mail." messages when I
        logged in but not anymore.  What happened?  Where do they come from?
        \_ the system sshd_config may have had CheckMail turned off.
           \_ CheckMail in sshd is deprecated
              http://www.monkey.org/openbsd/archive/misc/0111/msg00384.html
        \_ I think tcsh may have been upgraded.
        \_ look at your .login.   if you dont have nfrm anywhere in the
           file, add it.
           \_ nfrm shows you who the mail is from, which is nice but takes
              way too long. I just want to see if I have new mail or not
              like it used to show. how do I get that?
              \_ RTFM, einstein. It's in there.
2002/1/25-26 [Computer/SW/Security] UID:23669 Activity:high
1/25    Crap.  At a new job and the emc tech guy just sent mail that our emc
        service contract expired almost a year ago.  $225/hr, minimum of 2
        hours to do anything.
        \_ That's probably less than they would have charged you for a
           service contract.  -tom
           \_ i doubt it.. cuz thats prob jus labor and not parts. -shac
           \_ that's just time, not materials.  And you think they're going to
              be really zippy when its on an hourly paid basis?  They already
              take 4+ hours to swap a disk or two.  --fucked EMC admin
2002/1/24-25 [Computer/SW/Security, Computer/SW/Unix] UID:23660 Activity:high
1/24    Anyone have any ideas and/or pointers of how to crack Yahoo IM offline
        messages and archived chats and conferences without knowing the
        password of the account that you are trying to snoop on?
        \_ No, but I'm sure google does.  -John
        \_ If google doesn't help you could try cracking it yourself.  I'd
           make my own logs with my own account and see what comes out.  Use
           long strings of each character in the alphabet, 1 per log, etc.
           I know they used to send everything over the net in clear text so
           I doubt the archive encryption is tougher than rot13 or des.
        \_ never used it but try http://www.elcomsoft.com/aimpr.html
2002/1/15-16 [Computer/SW/Graphics, Computer/SW/Security] UID:23571 Activity:nil
1/15    This is too funny.  Go to http://www.bsa.org/usa and find the
        Flash movie halfway down and see the story of Meg A. Byte the
        software pirate.
        \_ That's hilarious.  I especially like how they ripped of a few games
           in the video.  Nothing makes the point better than hypocrisy.
2002/1/14-15 [Computer/SW/Security, Computer/SW/OS/Windows] UID:23561 Activity:very high
1/15  .name URLs now available
        \_ What is it?
        \_ Is it permanent?  (I mean as permanent as
           http://www.csua.berkeley.edu/~mylogin
           \_ http://www.siliconvalley.com/docs/news/svfront/002411.htm
              \_ Gee.  They might as well open up the name space for *anything*
                 that is descriptive, e.g. "JohnDoe@university.of.california.at.
                 berkeley", "JohnDoe@2345.dwight.way.apt12.berkeley.ca94704",
                 "JohnDoe@510.643.1234.us"
        \_ worthless.  Making a 4 letter extension is going to break all sorts
           of code out there.
           \_ Maybe badly written code...  There have been >3 letter extensions
              for quite a while.
              \_ Not to mention 2-letter extensions like .tv and all the
                 international extensions (.jp, .it, .ca, etc)
                 \_ They're called TLDs people, not "extensions". This ain't DOS.
        \_ yeah baby, <DEAD>cum.cum.cum<DEAD>
2002/1/13-14 [Computer/SW/P2P, Computer/SW/Security] UID:23552 Activity:very high
1/13    http://www.nytimes.com/2002/01/13/edlife/13BAND.html?pagewanted=print
        The article mentions 'Direct Connect.'  What other file sharing
        programs are in use these days besides this and Morpheus and other
        FastTrack variants.  Any CSUA members in the dorms or otherwise with big
        pipes care to comment?
        \_ irc
        \_ yeah, I've got a big pipe for ya
        \_ http://vadim.berkeley.edu
           \_ hi paolo!
           \_ nice going vadim, taking scheme.xcf.berkeley and changing it to
              vadim.berkeley. fucking tactless egomaniac.
                \_ I thought the useless xcf was shut down years ago?  -alum
                   \_ It was.  It has become... the Vadim Computing
                      Facility.
                      \_ This is probably funny but I don't know who Vadim is
                         or the current xcf situation.  Is it dead or what?
                         \_ Not dead.  There's one member.
                            \_ Just using your powers of deduction, see if you
                               can infer what that one member's name is.
         \_ check http://zeropaid.com for an extensive listing of file sharing
            prorams.   -- jj
        \_ the Dec207 warez club!
        \_ The dorms don't have a big pipe anymore.  They're collectively
           limited to ~20Mbit.  That's 4,000+ hosts.  UCB dorm net is pretty
           much useless these days.  Residents keep trying to get DSL
           installed because it's faster.
           \_ Buncha whiners.  I felt lucky to have 14.4 access after I got
              access to the staff/professor modem bank and off the busy and
              broken 1200-9600 student bank.  Doing classwork on campus was
              better anyway.  Easily block remote connections to your
              workstation and keep all those other pesky students dialing in
              at 2400 on some other machine.
              \_ in my day, we used smoke signals.  on a clear day with a
                 small enough wind we could get ten bits per minutes, and
                 we were damn pleased with that.
                 \_ They allowed you to have smoke?  And you knew what the sun
                    looked like?  And wind?  You had wind?? You must be new
                    around here....
           \_ Petition them to increase the size of the big pipe.  This is
              not 1991 anymore, when I spent big bucks to upgrade to a 9600
              modem.
                \_ The problem with the dorms is that they'll use (for napster
                   clones, mostly) all the bandwidth you'll give them, and the
                   campus pays for bandwidth used to the commodity net.  Dorm
                   traffic isn't limited if it goes over Internet 2.  -tom
                   \_ Cool.  Now they just need a multi-campus I2 p2p thing
                      going and they're set.  I've got this idea for a business
                      model... I just need $325m in funding now....
                   \_ Two words: traffic shaping.  Eliminate this bandwidth
                      cap bullshit, and use traffic shaping to limit obscene
                      traffic caused by p2p filesharing apps.  Dorm net
                      becomes useable again.
                        \_ A few more words: apathy, money, unimportant.  It
                           isn't worth anyone's time to fix the dorm net
                           situation.  Who cares?  Let them eat cake!  Is
                           there a minimum bandwidth promised or an SLA in
                           the current dorm contract?  Do people *really*
                           choose the dorms because they have net?  Was the
                           <DEAD>dorm.net<DEAD> the deciding factor for anyone's living
                           arrangement?  If so they need to get over it.
                        \_ Clearly, that's the way campus wants to go, but
                           it's rather difficult in our environment.  -tom
           \_ that's 20Mbit to off campus.
2002/1/10 [Computer/SW/Security] UID:23520 Activity:very high
1/10    So I've decided that since my system is vulnerable to one kind of
        attack to not bother with any sort of defenses.  I'm reinstalling
        telnetd, disabling ssh2, running an old version of ssh1, putting IIS
        4.0 unpatched back into production, get 8.01 bind going and then
        setting the root password to "root".  Does this make sense to anyone?
        Should I stop patching my computers because there might be a different
        way to get in that isn't covered by the current patches?
        \_ It makes no sense and you are an idiot.
           \_ So is this any different than not spending money on one form
              of national defense because the country would still be open to
              other forms of attack?
                \_ you're an idiot.  -tom
                   \_ At least now we have your best point against national
                      defense.  You're brilliant.  You should be running the
                      DoD.
                        \_ sign your name, o brilliant one.  -tom
        \_ Missle defence is analogous to building a huge titanium dome
           for your computer. It is expensive, impractical and won't
           defend against the likeliest threats. It will also distract
           you from defending against the threats you should be concerned
           about.
           \_ So you mean the most likely threat from nukes isn't nukes on
              warheads?  When there's 5000+ of them out there in the hands of
              multiple nations and some of those nations aren't very friendly?
              You determined this was an unlikely threat?  You're not qualified
              to make that analysis.
           \_ My titanium dome protects my computer against worms, viruses,
              DoS, and every exploit that exists.
                \_ The analogy is to a titanium dome that still has holes
                   in it for network access.  -tom
                   \_ This is known as a "strawman argument" and it's
                      considered bad debate form.  Most people left this
                      behind in the dorms.
                      \_ And the original poster was not?
2002/1/5-6 [Academia/Berkeley/CSUA, Computer/SW/Security] UID:23468 Activity:moderate
1/4     csua/csua and user/pass are two short, many sites require 5-8 char
        names and passwords.  What should is sign up as then?  -goodCSUAer
        \_ ucbcsua with password ucbcsua1, ucbcsua2, etc.
           Or csua123 or csuacsua as username.  Some site require
           pw diff from logins so either have a pw that is the
           reverse of the login or I dunno...?
        \_ cypherpunk/cypherpunk
        \_ csuamotd/csuamotd works fine for me at a few places.  thanks to
           whoever set that up.
        \_ How about a /csua/pub file of websites with user/pass for each.
        \_ soda.csua/password was set up for NYT.
2002/1/4-5 [Computer/SW/Security] UID:23459 Activity:very high
1/4     http://news.cnet.com/news/0-1005-200-8358574.html?tag=mn_hd
        \_ Did nweaver post this because he was quoted in the article? :-)
        \_ This guy picked the Christmas week to notify AOL and then claimed
           waiting for a week is too long.  Hmm.  Maybe he just wanted the
           publicity.
           \_ The article I read said that AOL didn't even bother to respond
              to him.  It's not just that they didn't fix it in the first
              week after he reported it -- they didn't even acknowledge that
              the problem *existed*.  Then when he goes public they fix
              it in 24 hours?  Sounds like he was right to go public.
                \_ At most tech companies, there was no one around to respond
                   to anything from Dec. 22 - Jan. 1.
                   \_ Sounds like the best time to exploit a hole :)
                   \_ I can't think of any legitimate reason for their
                      escalation path for security problems to be broken,
                      even for holidays.  Whether they failed to respond out
                      of arrogance or incompetence doesn't make much of a
                      difference.
                      \_ suppose you find a major security hole in AIM.  Whom
                         do you email?  Does AOL have a special email address
                         hotline for reporting critical exploits?  Do they
                         publicize it?  I'd guess that the answer to at least
                         one of those questions is "no".  So now you're left
                         with filing a bug report using the standard support
                         channels, which most likely get flooded with mail from
                         clueless newbies.  Do the real developers field all
                         these questions, or does a low-paid grunt deal with
                         them?  Does this support grunt check email every day
                         during his vacation?  give him a break.
                         \_ When I call AOL tech support, I usually
                            get prompt and complete service. signed, AOLuser
                         \_ You send it to support.  It is the responsibility
                            of their support organization to classify the
                            incoming report correctly and advise their
                            management so they can direct it to the
                            appropriate engineers to repair.  An organization
                            the size of AOL doesn't have a single support
                            grunt who goes on vacation and leaves the support
                            email unanswered; they have a large group of
                            people processing incoming support requests, and
                            there's always somebody there.  The front line
                            people have more senior people they can escalate
                            things to (usually multiple levels).  Even during
                            holidays and weekends, there should be somebody
                            on call in engineering capable of addressing the
                            problem.  Coordintaing support and engineering like
                            this is hardly a problem unique to AOL.  Oh, and
                            AOL never said they hadn't seen it; they said
                            they wanted more time to work on it.
2002/1/2-3 [Computer/Networking, Computer/SW/Security] UID:23431 Activity:high
1/1     I'm using SecureCRT over a 33.6 modem to connect to soda, and my
        connection consistently is reset after typing just a few
        characters (for instance, I couldn't type this post using it).
        I've tried ssh 1 & 2; 3des, rc4, and blowfish; and several
        different server types, with no improvement.  Why is this
        happening?
        \_ SecureCRT does that with DSL connections for me.  Not that bad
           but enough for me to curse it or windows.
        \_ Could be flaky modem connections or so--although that usually
           happens with v.90 (56.6k)--doesn't ssh have some sort of error
           checking to make sure no funny business is going on with your
           connection?  I would try to bring down the connection speed to
           1200 and then gradually increase it and see what happens.  Also
           for fun try another ssh client like TeraTerm to compare.  -John
        \_ Try putty, it works better than SecCRT on dialup lines (at least
           that was my experience when I was in India and had to deal with
           the dial up lines there).
           \_ putty?  barf!  Putty was dropping me from a rock solid T1 line.
              This is definitely what they meant by "get what you pay for"
              when it comes to software.  Tera Term takes an extra 30 seconds
              to setup, is free, and unlike putty, it works.  I'd rather go
              back to whistling in the phone then use putty.
              \_ I use putty on both T1 and dial-ups.  It never drops any
                 connctions.
        \_ I've used SecureCRT on dial-up and over cable and, with the
           exception of campus network outtages, have never had problems.
2001/12/31-2002/1/2 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23421 Activity:moderate
12/31   Anybody know what's going on with the National Park service web
        site?  http://www.nps.gov  It used to be the most complete web site on
        national parks and now it's gone.  What the hell?
        \_ I think it's a GWB VRWC conspiracy.  Soon it'll point to
           <DEAD>www.evil_white_men_in_office.com<DEAD>
        \_ Hacked by Chinese!!!
        \_ The ENTIRE Department of the Interior (which includes the NPS) was
           disconnected from the Internet by court order on December 5th (the
           result of a lawsuit against the government for poorly securing DOI
           computers handling Indian trust-fund accounts).  If you visit
           http://www.doi.gov it'll tell you that the only Interior bureau currently
           allowed to connect to the Internet is the USGS.  -- kahogan
           \_ I'll bet this was a Bush appointed judge.
             \_ Needless to say, the systems found so insecure the DOI had
                to be forced off the net were windows based...
           \_ http://forum.fuckedcompany.com/fc/phparchives/search.php?search=usgs
           \_ Does it only apply to only HTTP or does it apply to everything
              including e-mail?
2001/12/27-28 [Computer/SW/P2P, Computer/SW/Security] UID:23378 Activity:very high
12/30   is it just me, or is kazaa empty right now?  did those busts actually
        kill it?
        \_ or maybe it's because most college kids are at home during winter
           break?
        \_ Those busts have nothing to do with the gutter-warez you find on
           Kazaa. They busted a wholly higher-class of warez-hosers.
           \_ DoD hadn't put out anything of note in 18 months.  They didn't
              bust anyone important to the scene.
              \_ They will never bust the most cruical warez ring and that
                 is the casual copier. They can never stop someone from copying
                 office from work or giving a copy of the latest game to thier
                 pals so that they can have a lan party.
                    visiting a warez page be illegal?  conspiracy charges?
                    please.
        \_ Is it illegal to visit warez web sites?
           \_ why would it be?
              \_ because warez is illegal?
                       own use and linking to computers software will be
                 \_ downloading or distributing warez is illegal.  why would
                    visiting a warez page be?  conspiracy charges?  please.
                          original. - Bill G.
                       \_ that's surfing with intent to download! Better
                          plead no contest and ask for leniency from the
                          judge.
                    \_ How do you legally distinguish mere surfing and
                       downloading?  Afterall all these packets of warez
                       coming to your computer is an act by another computer
                       while surfing and clicking on links is your action.
                    \_ yeah... that's just stupid.. i mean, next thing you
                       know, making copies of stuff you already own for your
                       own use and linking to computer software will be
                       illegal...
                       \_ You shouldn't make copies, you should buy a spare
                          original. Kids these days with thier Linux/Open
                          Sources/Free Software. They make me sick. - Bill G.
                          \_ YEAH!  FUCK FAIR USE.  FUCKING CONSTITUTION!
                             FUCKING US CODE!! - Mini-Bill-Me
                             \_ You napster, gnutella, audio galaxy and kaaza
                                junkies don't know what "fair use" means.
                                Fair use means that you have the right to
                                listen to your original cd in your stereo
                                and your car. It doesn't mean you can make a
                                copy for your friends and it certainly doesn't
                                mean that you can make a near-perfect digital
                                copy that can be re-distribute illegally to
                                strangers via the internet. Now you kids need
                                to stop illegally copying music, movies and
                                software and start buying it. Otherwise all
                                the poor artists will have to go back to a
                                career in food service and start suffering
                                for thier art and we won't be able to make
                                the kind of money that is necessary in order
                                to maintain our land rovers, our pacific
                                palasides bungalows and our all armani,
                                versace and bally wardrobes. - RIAA
                                \_ Start paying the artists instead of
                                   keeping all the money yourself and
                                   I'll consider it.
                                \_ Strange thing is that all my artist friends
                                   are already on the verge of waiting tables
                                   although in terms of art it is the likes
                                   of Britney who should be in the personal
                                   service business.
2001/12/23 [Computer/SW/OS/Linux, Computer/SW/Security] UID:23354 Activity:nil
12/22   How do you make OpenSSH 2.5.2p2 works with Debian Linux 2.2 r4?
        ssh into this machine kept on getting denied while everything works
        fine with OpenSSH 1.2.3 (precompiled for Debian). Does that mean
        Debian 2.2r4 doesn't support ssh2x? Thx in advance! - jthoms
2001/12/20 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:23321 Activity:nil
12/19   I'm running Redhat 6.1 for about a year with no problems and over
        the last 5 days or so it's been taking a really long time to log
        into my machine through ssh or ftp. sendmail and samba don't seem
        to be working right either, though apache is fine. i'm not even
        sure what to look for, any advice?
        \_ look for timeouts due to dns - are your daemons waiting for
           dns to time out?
        \_ have you been applying security patches? if not, do a rootkit
           scan.  everyone i know who ran such an old install without
           patching has been rooted via an ssh vulnerability.
2001/12/19-20 [Computer/Networking, Computer/SW/Security] UID:23308 Activity:low
12/19   Anyone ever tried ATT Broadband phone service? They have a good
        deal right now but I don't want to cancel PacBel, then find that
        quality sucks or something, and have to pay a re-instatement fee
        with PacBell.
        \_ I've got AT&T Digital Phone Service. It is excelllent.
           A couple interesting things though: 1) they install a small,
           shoebox sized battery somewhere in your house. It keeps
           the phone working in a power failure. 2) The installation USED
           to be done by a crappy subcontractor company. (inept)
           But the AT&T service employees that have since come out for misc.
           things have been VERY skilled and helpfull.
           Phone, Internet, CableTV all come in through a Single Coax cable.
           You can keep your phone number, which means getting worth from
           paying PacBells "Number Portability Charge" all those years.
           \_ thanks for the info... I was about to sign my post as
              "chialea" to try and solicit some responses.
2001/12/19-20 [Computer/SW/Security] UID:23306 Activity:low
12/19   http://www.theage.com.au/news/national/2001/12/20/FFXPK6KZDVC.html
        Mmmm!  That new car smell!  It's only cancer....
        \_ One reason to buy used cars.
2001/12/15-16 [Computer/SW/Security] UID:23258 Activity:kinda low
12/15   I have cable srevice by at&t, but I don't think this is a problem
        with my cable service.  Basically, I have a linux 2.2 natd box for
        connections from my internal network.  I have win98/ win2k/linux
        behind the natd box.  WHen I ssh out (OpenSSH_2.3.0p1 or ttssh),
        if I am idle for say, 5 mins, the connection is cut..reset
        by peer.  Why does this happen, and how do I fix it?
        \_ I don't have this problem with a similar setup.  Could the other
           side be idling you out?  I _have_ had that problem.
        \_ This is a problem with ipchains. It doesn't have any state, so
           it has no idea about connections and things like that, so to keep
           from having NAT sessions open forever, it has timeouts for inactive
           NAT sessions. I forget where you change this (it's been years since
           I used ipchains, since iptables (linux 2.4 filtering) is so much
           better.) however, I'll bet money that that is your problem. Look
           it up in the ipchains HOWTO, I believe it is in there, and increase
           the timeout for TCP, since the default is something low, like 5
           minutes. There may be a way to get ssh to send connection keep
           alive packets, which would solve the problem without having a large
           timout value, so I'd look into that as well. Or, just switch to
           2.4, and use iptables. Stateful packet filtering is your friend.
               -- ajani
           \_ thanks!  when i was using ipf on openbsd I kind of took this for
              granted.
           \_ NAT is stateful by definition. You can't do NAT without keeping
              session state information. NAT session timeouts exist in all
              implementations, not just ipchains because if you don't expire
              the idle sessions, there is a higher chance that the NAT session
              state table will eventually fill up. What Linux iptables adds is
              a session state tracking for non-NAT sessions as well.
           \_ Uh, the ipchains NAT session timeout default is way bigger than
              a few minutes. Check the HOWTO, it is more like several hours.
2001/12/11-12 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:23214 Activity:very high
12/11   http://www.google.com/googlegroups/archive_announce_20.html
        \_ http://groups.google.com/groups?selm=3lje5o%24n7h%40agate.berkeley.edu
        \_ Does "Usenet newsgroups" mean all the newsgroups I can see when I
           run trn?  Are there newsgroups that are not Usenet newsgroups?
           Confused.
           \_ It means Usenet groups before the big re-org. talk.* and net.*
              stuff. It doesn't have my 1985 posts, but it does have some
              1986 stuff I wrote... It scares me.
        \_ Say, what newsgroup did the Ahm/Blojo incident happen in?
           \_ ucb.erotica.sensual, but I can't find the exact original posting,
              just aftermath signs such as:
              http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=4a1t98%24nk0%40agate.berkeley.edu
              http://groups.google.com/groups?start=100&hl=en&group=ucb.erotica.sensual&selm=frrawx7xfx.fsf%40sigma.veritas.com
              Anyone have the original ahm/blojo postings archived?
              -alexf
           \_ http://groups.google.com/groups?q=+%22tawei+liao%22&hl=en&scoring=d&rnum=8&selm=58t1r7%241ev%40agate.berkeley.edu
              \_ is this for real?  real or not, did it work?
                 \_ http://www.ereview.com/archive/tawei
                    Status: single
                    Must not have worked...
              \_ Hmm...what happened to Tawei?  He was quite a character.
        \_ http://groups.google.com/groups?selm=3ljdjg%24mu6%40agate.berkeley.edu
           http://groups.google.com/groups?selm=31jp6o%24oc2%40agate.berkeley.edu
           http://groups.google.com/groups?selm=2ron5j%244iu%40agate.berkeley.edu
2001/12/7-9 [Computer/SW/Security, Politics/Foreign/Europe] UID:23179 Activity:high
12/7    What is the best way to transfer funds between accounts in U.S. and
        another country (in Europe) without fee or getting riped off
        by special conversion rate?  The amount is small and just to cover
        my expenses when I travel or order internationally, i.e. < $2000.
        \_ My dad has a US checking account at B of A.  Every month I make
           a deposit to his account at a branch here, and he withdraws the
           money at a branch in Hong Kong.  No transaction fee, but I don't
           know if the conversion rate is the same as the standard rate.
           \_ I asked at the Bank of America in Hong Kong whether
              one can access his US account in HK, the answwer I get
              is plain no, as Bank of America Asia supposedly cannot
              access account of its parent bank in US.  If you are
              converting from USD to a foreign currency, you are bound
              to pay a conversion fee (3% I think in most banks). You
              can open an USD account in a more established financial
              houses (like SG), so you can withdraw funds outside of US
              much more easily.  But for $2000, it's easier to get
              travel's checks.
              \_Tnx for the reply.  However often the need to transfer
                money arises and the amount becomes known while I am outside
                U.S., not to mention carrying traveler's check is like
                carrying cash other than being much safer.
                \_ I've heard from a lot of people that ATMs are good,
                   you get better (minimal but still significant)
                   fees. Better than changing cash out.
                   \_ but you cannot deposit foreign currency to your account
                        from abroad.
                        \_ Go back and read the stated objective, duud.
                \_ Use your credit card. You'll get the best exchange rate
                   and if you pay it off, the fee will be minimal. No cash
                   that you need to carry which should eliminate the cost of
                   foreign->US.
                   \_ Depends. While I was in Europe this past summer, it was
                      cheapest for me to just withdraw cash from ATMs: BofA
                      was tacking a "foreign currency conversion fee" to each
                      of my CC transactions, while for the ATM withdrawals, I
                      was getting the interbank exchange rate without any
                      additional fees.  When I lived in Germany, I had my
                      paychecks direct-deposited to my credit union account
                      in the US and paid for everything in cash: if my needs
                      exceeded the daily transaction limit, I planned ahead
                      and visited the ATM multiple days in a row.  If you
                      want an account at a bank that has a presence on both
                      sides of the Atlantic, I've heard that Citibank and
                      HSBC are good choices for US->Europe expatriates,
                      although I have no experience with either.  -- kahogan
                \_ which ever route you choose, make sure you don't go to
                   the foreign currency exchange booth at traverler's spots.
                   Their rate is horrible.  (something like 8%)
              \_ That's strange.  Maybe my dad makes his withdrawal by writing
                 himself a check and then cash it at a B of A branch there?
                 I've never asked him.
                 \_  The more I think about it, this is a good way for money

                     laundry.
                 \_ Yes, this is exactly how my father got money at a BofA
                        branch in Taiwan.
2001/12/6-7 [Computer/SW/Security] UID:23162 Activity:moderate
12/5    Did anyone figure out why people are getting those
        "ssh_exchange_identification: Connection closed by remote host"
        errors?
        \_ Too many people were trying to connect to soda at once, and
           openssh started dropping connections.  I've turned up the
           maximum number of unauthenticated connections, so everyone
           should be able to connect now; please let me know if these
           errors come back.  --mconst
           \_ yer the best mconst!
        \_ i usually try "ssh -1"and it works.  there's
            probably a big nasty security hole in there i don't
            care about.
        \_ This morning I tried logging in from outside and I got this error.
           I then tried it again right away and it worked.  I've never seen
           this error before.
2001/12/5 [Computer/SW/Security, Computer/SW/Unix] UID:23147 Activity:low
12/4    Is there a way to run a proram from another machine, without
        having to log into that machine? Specifically, I'd like to run
        an xbiff icon from another machine, on my local machine (so I can
        tell when that account gets mail). I'd like not to have to keep
        the extra xterm open on my local machine.
        \_ "ssh -X foo@bar.com xbiff" might work.  After you enter your
            password you can background the process (or you can & it if
            you have DSA stuff set up).
            \_ or just ssh -f foo@bar.com xbiff
               and it will background itself (you only have to give -X if
               whoever set up the client explicitly made X forwarding off by
               default)
        \_ Run a cron job on the remote host.  Have it check if your xbiff is
           running and if not, run it with the appropriate parameters/env.
2001/12/5-6 [Computer/SW/Security] UID:23144 Activity:moderate
12/5    Has there been a ssh change?  Protocol 1 no longer works, and
        protocol 2 has problem with
          ssh_exchange_identification: Connection closed by remote host
        \_ It could be AT&T (I've noticed the same thing) but there's also
           a recent vulnerability found in ssh1.
           \_ It's not AT&T -- this just happened to me and I have DSL.
              I was able to login after a couple of minutes though. Anyone
              know what's going on?
              \_ I had the same problem from work and we have a T3 (not att).
        \_ I've been having the same difficulty.  I attribute it to rampant
           packet loss into/out of EECS.
2001/11/9-10 [Computer/SW/Security] UID:22994 Activity:nil
11/9    In case you though your money was safe:
        http://www.theregister.co.uk/content/55/22751.html
2001/11/5-6 [Computer/SW/Security] UID:22943 Activity:high
11/5    In ssh1, I can make passphraseless keys that let me login from one
        place to another without typing a password/phrase (yes, yes, I know).
        How can I do this with ssh2?  My man pages aren't helping with what
        I need to put into what files to use passphrases instead of passwords.
        I know how to make the key, just not what to do with it.  Thanks!
        \_ copy .ssh/id_dsa.pub from your local machine to
           .ssh/authorized_keys2 on the foreign machine. - danh
           \_ And chmod 600 ~/.ssh/authorized_keys2 --dbushong
                \_ Did both of these things and it still falls back to the
                   password auth... help?  Does it have something to do with
                   either the IdentityFile or AuthorizationFile settings in
                   sshd2_config?
        \_ add the "-v" flag when sshing, does that tell you
           anything useful?
        \_ Ok, I got it, thanks all.  Our machines had the http://www.ssh.com version
           installed which works a little differently than soda.  I needed to
           specify the dsa and pub files in the identification and
           authorization files with some trivial syntax.  This is from a pdf
           off <DEAD>www.ssh.com's<DEAD> support website.  Nothing in the man pages about
           it.  I guess that's how they make money with support and services.
           What danh and dbhushong said worked perfectly with soda which had
           me confused for a bit.  And -v was pretty useless, unfortunately.
2001/11/5-6 [Computer/SW/Security] UID:22939 Activity:high
11/5    I crossed the Dumbarton bridge westbound this morning.  Not a single
        Coast Guard or cop I saw along the way.  What tight security.
        \_ I drove my van across the Bay Bridge on Sunday. I saw a lot of
           Coast Guards but no one checked my van. What tight security.
        \_ the best security is security you dont see
           \_ Really... what... are the military using thier high tech
              cloaking device or holding on underneath the bridge? or do
              they have sniper men miles away....
              \_ It's like the CDA in Monsters Inc. When shit happens, they
                 just appear 3 seconds later.
        \_ You expected every truck and van to be stopped?  Because of some
           vague warning?  Yes, let's just stop everything everywhere because
           hey, ya know, something *might* happen.
           \_ This is why Davis should have kept his mouth shut.
        \_ Because it wasn't targeted. The Bay Bridge and Golden Gate were.
           I drive the SM and there are CHP patrol cars at both ends.
           \_ I usually take the San Mateo Bridge, but these few days I am so
              so paranoid that I take Dumbarton instead.
           \_ that's fine. But if they don't stop my van when I crossed
              Bay Bridge, how are they going to stop simultaneous attack
              on the bridges? Dumb fucks.
                \_ The bridges were built to withstand 7.0 earthquakes.
                   There's not much your van can do to seriously damage them.
                   The real risk is the cables on the suspension bridges.
                   \_ You think if Timothy McVeigh could make one trunk bomb
                      that could cut through the multi-story fed building like
                      a cake, the Al Qaida folks can't make the same bomb and
                      blow a big hold on the bridge surface(s)?
                      blow a big hold on the bridge surface (or two surfaces if
                      they explode it on lower-deck Bay Bridge)?  Besides, for
                      the suspension ones, if the cables are gone, the bridge
                      falls, right?
2001/10/29-30 [Computer/SW/Security, Computer/SW/OS/Solaris] UID:22862 Activity:nil
10/29   I found "sftp" on my Solaris machine, but I couldn't find the man page.
        Can someone tell me how to specify a user name different from my
        current login?  I tried "-l username" like in ssh, but it doesn't work.
        Thanks.
        \_ Well, if it's anything like sftp on soda:
           soda ~ [12:57pm] sftp -h
           usage: sftp [-1vC] [-b batchfile] [-osshopt=value]           \
                       [user@]host[:file [file]]
           --dbushong
2001/10/29-30 [Computer/SW/Security] UID:22857 Activity:very high
10/29   I tried ssh'ing to my csua acct from my csua acct to test
        ssh-agent and X11 forwarding.  Neither worked, so I created a
        ~/.ssh/config file with the following lines:
        Host *
             ForwardAgent yes
             ForwardX11 yes
        Now, X11 forwarding works, but ssh-agent forwarding still
        doesn't.  Any ideas?
        \_ perhaps your ssh to CSUA from whereever you are (say at work)
           doesnt have X11 forwarding either, whether by buildtime lack
           of support or runtime option.  ssh -v is your friend. -jon
           \_ But X11 forwarding works now, but not agent forwarding....
              \_ oops sorry, got the order reversed when i read your sentence
        \_ Ok, it works if I use ssh -1 csua, but not otherwise.  Is this
           a known issue?
2001/10/24-25 [Computer/SW/Security] UID:22820 Activity:moderate
10/24   My sshd used to accept connections from machines without matching
        reverse lookup.  Then, all of a sudden, today, it stopped.  I changed
        resolv.conf to use a nameserver with made up ptr records and it works
        fine, but the question remains, What changed?  There is no indication
        that sshd has been restarted since the machine was 60 days ago.  This
        is on solaris, using (foolishly) F-secure sshd 2.0-2 which is also the
        same as it has been.  (i did stop some services 2 days ago, but nothing
        that should effect this).
        \_ You've been hacked.
        \_ Maybe you have edited the hosts.allow or hosts.deny files and
           added or removed some rules on those? This would apply if sshd
           was compiled with support for tcp wrappers.
        \_ Or it actually _was_ doing reverse lookups and your DNS broke.
2001/10/21 [Computer/SW/Security] UID:22789 Activity:very high
10/21   If I ssh into machine A and then ssh into machine B and then back
        into machine A, is that slower than if I ssh into machine A and
        stay there?
        \_ Yes, in theory but if your pipe from you to A is smaller than the
           pipe  A <-> B it may not matter much.  If you're only typing over
           this link it won't matter at all.  If you're sending data through
           an ssh tunnel then it could matter a lot.
           \_ What kind of answer is this? Don't answer questions you know
              nothing about. The correct answer is that your latency will
              be increased by double the amount of the latency of your A->B
              link but your bandwidth should not be effected.
              \_ The verb you're looking for is "affected."
                 \_ Unless your subject is psychology, you will seldom
                    use the word affect.
                    \_ wtf are you talking about?  "affected" is the correct
                       word here. "effect" is seldom used as a verb.
2001/10/18 [Computer/SW/Security] UID:22766 Activity:high
10/17   what language uses explicit scope?
        \_ what's explicit scope?
           \_ it's a language that lets you say, "function foo has access
              to var A, and function bar has access to var B"... no matter
              where they are.  think of it as specifically putting an ACL
                          My friend had to have his ACL replaced. He _/
                          was on crutches for weeks.
              on each variable as  to what function can access it.
              \_ BASIC.
2001/10/16 [Computer/SW/Security] UID:22752 Activity:low
10/16   Soda's ssh host key appears to have changed in the past month or
        so.  Is there a way to check the current fingerprint?  -phr
        \_ Sure it's not just that newer versions of ssh also tie the host
           key to the resolved IP address, which just changed?
2001/10/15 [Computer/SW/Security, Computer/SW/Unix] UID:22738 Activity:high
10/15   I want to restrict a user on a linux box from logging in,
        i only want someone to be able to "su" to this account.
        how do i do that?
        \_ why? if they can su to the account, they get the same privs as if
           they'd logged in.  If they can su, they are already logged in...
        \_ Set there starting shell in /etc/passwd to something that exits
           immediately.
           \_ then you won't be able to su to that account
           \_ Yes, you will.  You won't be able to su -
                \_ when you su to a user, it exec's his shell.
                   Get a clue. -tom
              \_ You mean su -m (or the equivalent) su - means "not only run
                 their shell, but do it as a login process"
        \_ set the password to * in /etc/passwd or /etc/shadow; barring
           publickey ssh authentication, the account should be only
           su-able -max
           \_ Ding ding ding.  Max rocks. --#1 max fan
2001/10/14-15 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:22734 Activity:very high
10/14   What is the "best" (reliable, secure, supports IMAP) free web-based
        email service?  Is hotmail good?
        \_ I have had no problems with squirrelmail.
        \_ IMP (component of horde) works great for me.
           \_ I installed IMP a couple of years ago. I wasn't impressed.
              Has it gotten better?
        \_ Bah!  I use mail to read mail!  Anything else is bloat!
           - freebsd #1 fan
           \_ Hi Paolo!
2001/10/9-10 [Computer/SW/Languages, Computer/SW/Security, Computer/SW/WWW/Server] UID:22674 Activity:very high
10/9    so when is Berkeley's DNS supposed to be updated with soda's new
        address?
        \_ when i get done working taking over the world. --phillip
          \_ that's my line - the brain
        \_ HAHAHAHAHAHA!
        \_ At 3am every day
        \_ also, when is the web server going to be running again?
           \_ the joyride is over! call verio!
           \_ Apache doesn't like it when you don't have a valid name.
              Probably tomorrow.  -tom
        \_ will emails received during the downtime be cached, rejected,
           or sent to /dev/null?
           \_ /dev/yermomisabigfatbitchbiggestbitchinthewholewideworld -root
           \_ they should be delivered once the name gets updated tonight. -tom
              \_ root is just so ... rude!!11!
                 \_ you get what you pay for.  if you want quality service
                    try a professional colo
           \_ they'll all be forwarded to the FBI.
              \_ ln -s /dev/null /dev/fbi
2001/10/8 [Computer/SW/Security] UID:22665 Activity:nil
10/7    I'm starting to dig rsync and ssh.  There's some
        caveats that aren't clear to me yet such as how to
        create a passphraseless key but still be able to limit permissions
        on the key.  Anyone know how to do that?
        \_ keychain might be the best you can get-- it keeps your ssh-agent
           running as long as the machine is not rebooted.  That way, you
           can log in to foo, start ssh-agent running in the background,
           add your identities, and use 'em till foo reboots.
        http://www-106.ibm.com/developerworks/linux/library/l-keyc2
        \_ What do you mean?  Without a passphrase on your key,
           anyone with root on the machine your "identity" is on
           can read your key and use it.  With a passphrase, someone
           with root can STILL get your key, but they have to work harder.
           If your key is on a machine that you're certain won't be
           compromised, with absolutely trustworthy root, then you don't
           need a passphrase. If your key is in an NFS-exported directory,
           you need a passphrase.
           [ reformatted ]
           \_ I think what he's trying to say, is that is there a way
              to set group permissions on a passphraseless key so the key
              can only be read by a certain gid (i.e. group foo).
              I don't think this is possible.
        \_ You don't need a passphraseless key; you can just use .shosts.
           \_ unless you don't administer the box..  grr...
2001/10/6-7 [Computer/SW/Security, Computer/SW/RevisionControl] UID:22654 Activity:high
10/05   I am have several accounts each with useful files and I often
        travel.  I am looking for some software that create a virtual file
        system transparently and securely distributed over several locations
        that allow me to access them no matter where I am as if it is some
        file on whatever account/computer I am using.  I have seen some
        "meta-frame" program for Win2000 on my friend's PC but it must be very
        expensive, for large companies and perhaps only works for win2000.
        Please recommend a low budget or free solution, either *nix or
        preferabbly multi-platform.  Ok tnx.
        \_ You may try a file synchronizer, like /usr/ports/net/unison.
           It works on unixen and windows (and is written in Ocaml to boot!)
           -- ilyas
        \_ I assume that you will have net wherever you are...have you
           considered just scp'ing/running rdist via ssh?  That's kludge-y
           but assuming your boxes are on the net, it'll work.  Otherwise,
           if you run the machines, you can run an ipsec vpn between them
           and (ugh) nfs mount between machines.  Both of those would
           be free.  -John
        \_ It sounds like cvs would be a good solution.  With cvs, you
           set up a repository somewhere on your home machine and then
           you can check out/check in files from wherever you are via
           ssh.  Basically you set CVS_RSH to ssh and you set CVSROOT
           to something like :ext:me@mymachine.net:/home/cvsroot.  Then
           use cvs checkout, cvs add, cvs update, cvs commit, etc.  See
           the cvs info file for details.  I've been using this method
           to work on files from home, school, and my laptop.  -emin
        \_ Thanks for all the answers.  It seems that VNC tunnled through
           ssh plus AFS are what I need, if I have the foo to manage it.
           By the way, can AFS traffic be encrypted, say over ssh?
2001/10/6-7 [Computer/SW/Security] UID:22649 Activity:high
10/5    Why do people think IMAP is betting than POP3 here?  Is this an
        security issue?
        \_ Vegas has the best odds when you're betting.
        \_ IMAP has a superset of POP3 functionality.
        \_ IMAP stores messages and folders on the server. This means you can
           access them and from any machine that has an IMAP client. Email
           and folder content stored on the client is just a cache. This allows
           all IMAP clients to see the same view. In addition, clients can
           resync their folder cache and manage folders and email offline.
           This is useful when you read email from a number of
           different machines regularly and want one interface to all your
           various email accounts.
           \_ IMAP _can_ store folders on the server.  That's how most clients
              are implemented.  The protocol can also download and delete just
              like POP.
2001/10/4 [Politics/Domestic, Computer/SW/Security] UID:22625 Activity:insanely high
10/4    Someone please tell me why making airport security screeners to be
        federal employees going to help? I've seen government employees and
        they're still underpaid, laid back, and don't give a damn about you.
        \_ as opposed to airline employees?
        \_ just look at it this way: they can't get any worse.
        \_ Federalizing security means that the employees have to go through
           a basic security check, get paid on a wage scale, get benefits,
           and can make it into a career. It's also a draw for those just
           leaving the military. Crimes against airport security become
           federal crimes and can draw on the resources of the military.
           \_ The law also allows the fed to conduct polygraphs test on all
              Federal employees.
           \_ I thought the US military is not allowed to act against US
              civilians even if the civilians are criminals.
              civilians even if the civilians are criminals.  Is it written in
              the constitution or something?
        \_ You have made an unpatriotic statement. Report to the termination
           vats immediately.
           \_ ^termination vats^Al Qaeda training camps
              \_ how is this statement relevant? -jon
                 \_ The previous poster said "...... federal crimes and can
                    draw on the resources of the military."
                    \_ A better response might be "why is this bad engrish"?
                       anyway, the US Military has been called upon to commit
                       acts against US citizens before.  EO 9066 --jon
                    \_ I had also meant to write ".. draw on the resources of
                       the federal government." I was thinking of the FBI and
                       the newly created Office of Homeland Protection. Better
                       resources than the local politzi.
                       resources than the local politzi. Plus federal money
                       to fund better security toys.
2001/10/2 [Computer/SW/Security] UID:22622 Activity:nil
10/2    Serious question: What should I do if I have my SSN, birth date,
        address, and other personal information stolen?
        \_ if you have material loss, report to the police.  Not that they
           can help you much, but at least the court won't think you're making
           up stories of losses.  Call up your banks/brokers, and let them
           know you have your id info stolen.  Then tell them that no one
           from now on can  access your account without
           a password which you will tell them.  Check your account frequently.
           Unfortunately, this is about all you can do.  You may choose to move
           your assets to a different, less popular bank so the theft will less
           likely to hit you again.
        \_ also call the credit agencies and put a fraud alert on your record,
           this will make it more difficult for whoever has your personal
           information to open new accounts in your name
2001/9/21-22 [Transportation/Bicycle, Computer/SW/Security] UID:22583 Activity:high
9/21    How is the government going to enforce the backdoors in the open source
        encryption software considering that it will be trivial to remove them
        given that you have access to the program source?
        \_ i just want to say something about all this encryption backdoor
           stopping the terrorist horseshit.  If you have a good network
           of human couriers that can act as go betweens once a year or so,
           you can communicate the key to a one time pad generated by
           a random noise source like jonson noise or something.  no one
           can break it, and even a moron can use it securely.  The NSA knows
           this of course.  they want to read YOUR mail, and make morons
           feel safe; this has nothing to do with stopping real threats.
           \_ Practically none of the security restrictions have to do
              with stopping real threats.  You can drive across the Golden
              Gate but you can't bike across.  You can hide a knife in your
              boot getting on a plane but not in your bag.  It's
              a predictable reaction.  -tom
                \_ Maybe they're worried about bikers/pedestrians getting
                   killed by a bomb.  Who cares about car drivers?
              \_ allowing unruly bikers across the bridge (which i may add has
                 the variable # of lanes in either direction) would cause
                 drivers to have more accidents, since bikers will swerve
                 into traffic and assume the car drivers will sacrifice their
                 vehicles to save the bikers life.  (from experience in SF
                 downtown traffic commute).
                 \_ Are you a complete idiot?  There are SIDEWALKS on the
                    Golden Gate.  -tom
              \_ What does your bike-across-the-bridges fetish have to do with
                 terrorism and encryption?
                 \_ They closed the sidewalks on the Golden Gate as a
                    response to the terrorist attacks.  -tom
        \_ Remove the backdoors from the source code?  You mean removing them
           by altering the encryption scheme?
        \_ I think you should do a little reading on this kind of thing
           first.  Then if you still don't understand you can ask your
           question.
2001/9/21-22 [Computer/SW/Security] UID:22579 Activity:nil
9/21    Encryption is in trouble:
        http://www.theregister.co.uk/content/55/21791.html
2001/9/20 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22556 Activity:moderate
9/20    In Netscape for NT, how do I find out whether it's a 56-bit or 128-bit
        version?  Thanks.
        \_ about: doesn't work for you?
           \_ It says" This version supports U.S.  security with RSA Public Key
              Cryptography, MD2, MD5, RC2-CBC, RC4, DES-CBC, DES-EDE3-CBC."
              Does it mean 56-bit or 128-bit?
              \_ U.S. security probably means 128-bit (as opposed to 40-bit
                 export security)
2001/9/20 [Computer/SW/Security] UID:22545 Activity:very high
9/20    There was something in the last meeting minutes about running
        crack/ripper on the passwords and emailing people about changing
        thier passwords. Has this been done?
        \_ aye.  in process.
           \_ Any idea when emails will be sent out?
        \_ What's that all about?
        \_ I find this offensive and think logging in should be restricted
           for 24 hours.
           \_ Good, bring it before politburo, and I'm sure they'll be glad
              to hear your case. -dans
           \_ What does enforcing password changes have to do with login time?
           \_ What does enforcing password policy have to do with login time?
              \_ I think you are beginning to see his point.
2001/9/20 [Computer/SW/Security] UID:22544 Activity:very high
9/20   A problem for you:  Tom is NATed behind a firewall.  He SSHes out to a
       remote machine which is ALSO NATed and behind a firewall.  (the remote
       FW has a redirect to the remote internal machine which is how he can
       ssh to there).   Tom would like to run an X-term on the remote machine
       and have it (tunnled through ssh obviously) display on his local machine.
       Assuming he has root on the remote box and his box, but that any access
       to either firewall (especially the remote one) involves painful red-tape,
       What is the easiest way for tom to accomplish his objective.
        \_ "X11Forwarding yes" in your sshd_config and use "ssh -X" to
            get to machines.
                \_ Error: Can't open display:
        \_ chances are your error is unrelated to the NATing.
           \_ I agree with my esteemed collegue.
           \_ It is more likely due to your broken ass boxes
           \_ Indeed.  If you can ssh successfully, it can forward X.
2001/9/19 [Computer/SW/Security, Politics/Foreign/MiddleEast/Iraq, Computer/SW/Unix] UID:22516 Activity:nil
ladenix 5.0 (jihad)

login: _
2001/9/18 [Politics/Domestic/911, Computer/SW/Security] UID:22507 Activity:insanely high
9/18    http://news.cnet.com/news/0-1005-200-7215723.html?tag=mn_hd
        " U.S. citizens back encryption controls "
        Right, only American companies can write encryption code/product,
        and the intelligence failure to warn the attack is due to, or partly
        due to encryption products!  Classical "not my fault" syndrome.
        Let's ban commercial airlines because their planes are used in the
        attack.  Let's ban all knives because they are used in the attack.
        \_ lets ban all people because they were used in the attack.
           \_ Let's ban religion. religion is the root of the Northern Ireland
                                  \_ Try economics.  There's not much that
                                     was ever perpetrated solely because of
                                     religion.  People aren't that pious,
                                     no matter what they may say.
              conflict, Palestine, Pakistan/India, and various historical
              atrocities. Not to mention the Holocaust, Cyprus, Kosovo, etc.
              atrocities.
              That's the one thing I didn't mind about China and USSR.
              Freedom FROM religion.
              I guess I don't mind Buddhists. They never slaughter anyone.
              (right? i'd be interested to learn otherwise.)
              \_ Tibetan Buddhism was the state religion of the Mongol Khans,
              \_ Tibetan Buddhism was the state religion of the the Mongol Khans,
                 possibly the most murderous forces in known history. Zen
                 Buddhism, as connected with Imperial Shinto during the
                 years leading up to the Japanese expansion, was part and parcel
                 with the philosophy that guided that set of warriors.
                 \_ So is there such a thing as a religion that doesn't have
                    significant blood on its hand?
                    \_ Quakers?
                 \_ Well, I see that as just being their personal philosophy,
                    and not something that actively caused strife. I mean, I
                    don't think they cared what religion other people were when
                    they were conquering them, they just wanted to conquer them.
                    That's good, honest conquest. They weren't haters.
                 \_ Imperial Shinto?  Zen Buddhism is very different from Shinto.
                    What is your source?
              \_ The Shaolin monks in ancient China once fought for an emperor
                 in the Tang dynasty against rebels in the region.  I think in
                 return the emperor gave the Shaolin temples exclusive rights
                 among all Buddist temples to openly practise martial arts, or
                 something like that.  But that you can say they fought for a
                 good cause.
                 in the Tang dynasty against rebels in the region.  But that
                 you can say they fought for a good cause.
                 \_ yeah, nothing wrong with that. no hatred, no frothy fervor.
        \_ lets ban the internet in the US!
              I guess I don't mind Buddhists and Hindus. They never slaughter
              anyone.
              I guess I don't mind Pengiuns. They never slaughter anyone.
                    That's good, honest conquest.
2001/9/13-14 [Computer/SW/Security] UID:22438 Activity:nil
9/13    Well, the anti-crypto people are at it again:
        http://www.wired.com/news/politics/0,1283,46816,00.html
        \_ "They that can give up essential liberty to obtain a little temporary
           safety deserve neither liberty nor safety." -- Benjamin Franklin:
           Motto of the Historical Review of Pennsylvania, 1759
2001/9/13 [Computer/SW/Security, Politics/Domestic/911] UID:22421 Activity:high
9/12    This is probably the scariest thing I've read all day:
        http://www.opinionjournal.com/extra/?id=95001106
        \_ I heard the FAA is going to add another question at the checkin
           counters: "Why are you travelling."  Yeah, they're going to block
           the terrorists when they answer "Well, I'm planning to hijack this
           plane."  I feel safe now.
           plane."
2001/9/13 [Computer/SW/Security] UID:22420 Activity:nil
9/12    There are people looking for loved ones inside of New York City.
        C'mon computer geeks!  Can't we setup an online forum/system
        service to help match people with loved ones in New York City?
        \_ This has been left as an excersize for the poster. But seriously,
           without adequate bandwidth and pubilicity I'm not sure how
           useful the effort would be?
           \_ that's why you are computer geeks, right?  You are capable.
                Slashdot, newsgroups, people who want to donate
                ISP space...
        \_ There already is one. At Berkeley, too.
           \_ URL?
        \_ <DEAD>safe.millennium.berkeley.edu<DEAD>
           It has bw and server capacity.  it's on the news. --jon
           \_ It's all over the wires as well, as a matter of fact. -alexf
           \_ some people can be so insensitive.  They are adding names
                (on the other services) like Beavis and Butthead and
                Christina Aguilara.
2001/9/11 [Computer/SW/Security] UID:22378 Activity:very high
9/10    Why does OpenSSH default to "ForwardX11 no"?  Given X11's lack of
        encryption, isn't this the best way to do X11?
        \_ X programs can do more than just open windows on your desktop --
           they can also do things like capture images of your display (as
           xwd does) or intercept the keystrokes you type (as most window
           managers do).

           This means that, while it's safe to telnet to a random machine you
           don't trust -- it can't do anything to your local account -- it's
           *not* safe to ssh with X forwarding to a random machine, since
           that machine could (say) start monitoring the passwords you type
           into other windows.
        \_ Yes, but they believe X11 forwarding should be something you
           request as it can open security holes if you do it wrong.
           \_ So what can I do wrong when using SSH's X11 port forwarding
           \_ So what kind I do wrong when using SSH's X11 port forwarding
              that would open a security hole?
                \_ xhost +, which would then allow anyone on the remote machine
                   to snoop everything you type, completely destroying the
                   usefulness of ssh
                   \_ This doesn't make sense. Why would someone who is using
                      ssh want to use xhost at all and if you do "xhost +"
                      it shouldn't matter whether you use ssh or not because
                      either way there is a huge wide open hole at this point.
           \_ less things to try to hack.  period.
2001/9/7-8 [Computer/SW/Security] UID:22349 Activity:very high
9/7     The DMCA just plain sucks:
        http://news.cnet.com/news/0-1003-200-7079519.html
        \_ Why are all you liberals trying to get things for free?
           \_ This is not about things being free. I don't mind paying for a
              good security solution. What I don't like is the fact that most
              people are scared into silence by the DMCA.
              Let's say that RSA, DH or AES was covered by DMCA and I found
              a weakness. I'd be scared of reporting my findings because I
              don't want to do hard time in a federal jail for violating the
              DMCA. If I don't report my findings people will continue to use
              a compromised security system. Someone less scrupulous than I
              may discover the same weakness and exploit it, which is very
              frightening.
          \_ yeah, everybody should pay for everything, all the time.  listen to
             the whims of the corporations.  screw fair use too!
          \_ As inconvenient as it might be to your conservative agenda,
             we still have the freedom to speak and think freely.
             \_ Liberals are the ones who try to limit freedoms.
                \_ Who is the one locking everyone up?
                   \_ The Feds, regardless of political associations,
                      have always been about locking up people. That's
                      why we have the second amendment. So that they
                      can't take your rights from you.
2001/9/6 [Computer/SW/WWW/Browsers, Computer/SW/Security] UID:22322 Activity:low
9/5     does shit like this still happen?
        http://www.techlawjournal.com/courts/kathleenr/20010306op.asp
        or is that only in backwater states?
        \_ um dude, that's livermore, ca.
        \_ and what's wrong with it? an idiot woman brought an idiot suit
           to court, and the case was dismissed.  BFD.
                /- I think she IS an idiot, trying to make up for her own
                   bad parenting skills.  Obviously, this kid knew what he
                   was doing; (printing his school schedule over the top
                   of a "scantily clad woman"--how much money did he get
                   for that from his buddies?) the library was just a means
                   to an end. --sowings
           \_ I don't think the woman is an idiot.  I think this scum is smart
              enough to realize that she can probably make some quick bucks by
              filing this idiot suit and reaching a settlement.  Oh did she
              remember to get the media involved?  Oh she might even be able to
              write a book afterwards on how her son's innocence was violated
              and how she was physically and emotionally hurt and how she
              spent years in turmoil before she recovered and blah blah blah.
        \_ You are right, this is terrible. Those librarians should be shot.
2001/9/1 [Computer/SW/Security] UID:22315 Activity:nil
8/31  check it out.  Logged in from explorer on a mac (to csua/ssh)...
SODA_1%  which ssh
/usr/bin/ssh
SODA_2%  ssh me@x.x.x.x
SODA_2% history
     1   23:09    which ssh
     2   23:10    history

  it's like i just hit "enter" instead of the ssh command.  what up?
2001/8/31 [Computer/SW/Security] UID:22312 Activity:nil
8/31   Is it ok to ssh to a remote machine as root?  I need to write a script
       to do some administration jobs in a remote machine.  Should I do ssh to
       the machine as root and then execute a command or ssh as a normal user
       and then use sudo to execute the command?
       \_ It really ends up equivalent.  SSHing directly as root is probably
          easier.  /etc/ssh/sshd_config
          PermitRootLogin yes
          IgnoreRhosts no
          RhostsAuthentication no
          RhostsRSAAuthentication yes

          Then, as root on the _server_ ssh back to the _client_ to get a copy
          of the client's host key in your known_hosts file.  Now just make
          sure you have the client in the server's root's .shosts file, and
          you should be good to go.
2001/8/30-31 [Computer/SW/Security] UID:22297 Activity:nil
8/30    Well, it was bound to happen; a worm masquerading as a security advisory:
        http://www.theregister.co.uk/content/56/21376.html
2001/8/29-30 [Computer/SW/Security] UID:22285 Activity:kinda low
8/28    I use my cory account to ftp from campus labs when secure
        alternatives aren't available, so I basically treat it as
        hacked/hackable.  But assuming that I need to get to soda from
        cory, which is more secure-- password-based normal logins, or
        password-protected DSA files?  Or are they both about the same?
        \_ Why are secure alternatives not available? You can always use
           scp to transfer files or just log in with Java ssh with those
           library machines.
           \_ I use the NT/Mac machines in Evans/Wheeler/LeConte.  I've
              never once been able to use scp/sftp... something about
              incompatible ssh versions.
              \_ probably not incompatible ssh versions, probably that
                 they just have some free windows ssh client that doesn't
                 support scp. Try just using the command-line windows
                 ftp combined with s/key. That should do the trick.
                                      - rory
                 \_ Is there a good web s/key calculator that doesn't need
                    java?
              \_ Get WinSCP.  Very good graphical scp for just this issue.
                 http://winscp.vse.cz/eng --scotsman
                 \_ WinSCP has some pretty nasty UI issues.  Better than
                    nothing though.
                 \_ Also PuTTY/PSCP (Google search "putty") -- schoen
                \_ I think the problem is that these apps aren't installed
                   in campus labs.  I've mailed admin about it; no response.
2001/8/23-24 [Computer/SW/Security] UID:22219 Activity:kinda low
8/22    Someone mentioned something about using scotch to get to CSUA via
        port 80. How do I get an account on scotch?
        \_ if you drink enough scotch, you won't care about this stuff.
        \_ ask for an office acct.  get your sid and come to 343.
        \_ scotch port 80 forwards to csua.
        \_ some nice person should post how to use the port
                forward on scotch, i can't remember right now
           \_ ssh http://scotch.csua.berkeley.edu -p 80. is that what you are asking?
              \_ though ssh is idiotic and doesn't include ports as part of
                 the host definition in the known_hosts file, so this will
                 tend to confuse it.  You're better off putting:
                 Host soda
                    HostName http://scotch.csua.berkeley.edu
                    Port 80
                 in your ~/.ssh/config file, and then just "ssh soda"
                 --dbushong
2001/8/21 [Computer/SW/Security] UID:22196 Activity:nil
8/20    Anyone have exprience with Broadbandnow as a high-speed internet
        service provider?  How is their service, bandwidth, etc.? thanks.
2001/8/21-23 [Computer/SW/Security] UID:22195 Activity:high
8/20    anybody have an ssh-over-http tunnel to soda that they're willing to
        share?
        \_ http://www.csua.berkeley.edu/ssh ?
           \_ doofus.  he wants to run ssh using http as base for an IP layer.
        \_ I was looking for this a while ago.  There's some stuff on the
           open source sites but I don't recall which.  Try freshmeat and
           then sourceforge.  I don't think it was on http://kernel.org.
        \_ use scotch
          \_ Actually I  have been looking for a ssh-over-http tunnel
              that actually uses HTTP protocol, as tcp/80 can get intercepted
              by annoying http only things like caches and proxies.
                \_ That would be very painful.  HTTP makes a very poor
                   interactive protocol - the header overhead would kill you.
                   \_ people behind corporate proxy servers don't have a choice.
                      do you have any better alternatives?
2001/8/20 [Academia/Berkeley/Ocf, Computer/SW/Security] UID:22191 Activity:high
8/20    http://socrates.berkeley.edu:7015/email
        I've graduated many years ago. How are they going to enforce my
        soda account termination?
        \_ we can port and run re-reg (from the ocf).
           \_ the ocf hasn't run re-reg in years, and has no intention
              of running it anytime soon.
              \_ maybe.  maybe it will now.  Maybe you ought to think about
                 options.  Looks like a non-issue for now tho.
              \_ "years" meaning, what, 3?
        \_ What's the page about?  My browser can't find it with the URL above.
2001/8/20 [Computer/SW/Security, Computer/SW/Unix] UID:22180 Activity:very high
8/20    [this is a copy of a message from Mike Clancy, posted here to gather
        ideas]
        I'm designing a "security" quiz for 9E.  Topics I've thought of so
        far include file permissions (what should be readable/executable and
        what should not), the sequence of directories in $PATH, use of xhost,
        and setting up ssh access.  I'd appreciate any other suggestions you
        might have.
        \_ why setuid/setgid shell scripts are bad and typically not supported.
           how to resolve of the problems with setuid shell scripts and
           chgrp, why chown is restricted to superusers.
           the limitations of those "solutions"
           Why setuid/setgid programs are good/bad
           chgrp, why chown is restricted to superusers. --jon
        \_ directory permissions: difference between r-x and --x
           and how command line args (e.g. vi filename) show up in ps output
        \_ What the sticky bit is, and why you would use it.
        \_ Why /etc/passwd is world readable but /etc/shadow is not.
        \_ Why anyone who has to take 9E having root is a bad idea.
           \_ What's 9E? - non ee/cs alum
              \_ self-paced unix course
        \_ How to tell when paolo is running a script that deletes the motd
           every 3 minutes.  -tom
        \_ What's a jail, what does tripwire do.  -John
        \_ Using my 1st amendment right, I disagree with tom.
        \_ How to figure out that paolo is running a script which deletes
           the motd every 3 minutes.  -tom
        \_ Why you shouldn't use any English word, however uncommon it is, as
           your password.  -- yuen
        \_ Why two bits of salt for a passwd is bad.
        \_ Why xhost should never be used and how to use xauth -alan
                 http://www.xs4all.nl/~zweije/xauth.html
           \_ Why xauth is too much trouble and how to use ssh.
        \_ tom, are you still an undergrad?
            \_ no.
               \_ to paraphrase Theo: "Perhaps you should stay clear of
                  discussions where the roles of undergraduate cs students --
                  especially what their responsibilities-- are being discussed."
2001/8/19-20 [Computer/SW/Security, Computer/SW/OS] UID:22176 Activity:high
8/19    Is this normal behavior:
        soda:~>dmesg | more
        <DEAD>kofthewest.com<DEAD>, AF_INET) failed
        pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped)
        \_ as of: Sun Aug 19 20:42:43 PDT 2001
           it is now saying:
           soda:~>dmesg | more
           : getaddrinfo(209-76-220-17.bankofthewest.com, AF_INET) failed
           pid 33773 (a.out), uid 1216: exited on signal 11 (core dumped)
           pid 24745 (trn), uid 30148: exited on signal 6
        any ideas?
        \_ seems like the kernel message buffer got set really low.
        \_ I think some hackers from bankofthewest have gotten into
           your kernel. REBOOT IMMEDIATELY!
        \_ pid 9236 (sshd), uid 0: exited on signal 11 (core dumped)
           WTF is sshd dumping core?
2001/8/19 [Computer/SW/Security, Computer/SW/Virus] UID:22175 Activity:high
8/19    Hi Dr Nick! -
   http://www.computersecuritynow.com/article.php?sid=36&mode=thread&order=0
        \_ I got tape worm...
2001/8/18 [Computer/SW/Security, Computer/SW/WWW/Server] UID:22162 Activity:kinda low
8/17    On 18 July, just as Code Red was starting to scan for vulnerable
        web servers, a CSX train carrying hazardous materials was
        derailed in the Howard Street tunnel in Baltimore, US.
        The derailment and subsequent fire severed cables running through
        the tunnel used by seven of the biggest net service providers to
        swap data.
        These companies started reporting disruption to the usual running
        of the net just as Code Red was hitting its stride, leading many
        people to assume that the worm was doing the damage.
        Analysis by Keynote has shown that even at its height, Code Red
        posed no threat to the running of the net.
        (http://news.bbc.co.uk/hi/english/sci/tech/newsid_1470000/1470246.stm
        - anyone else hear about the fire?
        \_ yes
        \_ It was in the news on TV.  But I thought Code Red was later than the
           train accident.
           \_ What they DIDNT SAY, was that the train had a WBEM system,
              hosted under IIS, which caused the derailment once the
              web control interface crashed.
              \_ you gotta be kidding.
                 \_ muah-hahahahahaha.... the sad thing is, it's plausible, eh?
        \_ It was noted right away in the RISKS digest (aka comp.risks)
2001/8/15-16 [Computer/SW/Security] UID:22126 Activity:moderate
8/15    security doesn't matter, my ass. Code red is running rampant on
        the financial aid office machines.  I wonder how much sensitive
        information can be grabbed from there.
        \_ It does matter, but not many people are willing to spend
           money on them.  I m very glad to see someone's finally pulled
           off code red just to make everyone aware network security
           is very important.
           \_ It hasn't raised enough awareness. The vast majority of
              Americans condone Microsoft for making such an insecure
              OS and accept the fact that worms and viruses are
              inevitable. If anything, Code Red is telling Americans
              that the time to deal with these problems is after the fact
              and that buggy software that requires a constant stream
              of security updates is acceptable.
2001/8/13-14 [Computer/SW/Security, Computer/SW/OS/Windows] UID:22101 Activity:very high
8/13    Edlin is the standard!  Seriously, just wondering who has
        used edlin before.
        \_ oh baby yeah.  my dad taught me edlin when i was 10 or so.  it
           was easier than the funky diskedit clone he'd use for other things.
           --scotsman
        \_ I have... -geordan
           \_ I suppose you were using a pre-"edit" DOS version?
              \_ I remember editting autoexec.bat and config.sys with
                 edlin.  That must have been in the DOS 3.x era.
              \_ Yes.  Boy, when "edit" came out (yeah, it was qbasic,
                 but no one really cared) it was like a whole new world.
                 Much better than the treebark I used to use.  And I liked
                 it.  I loved it.  -geordan
                 \_ ditto.  DOS 3.x or before had no edit.  edit was so
                    cool.  What was the last official dos version?  6.11?
                    \_ 6.3?
                    \_ There was PC DOS 7.1.  Don't know about MS-DOS.
        \_ I vaguely remember back in the pre-"edit" days I used something
           else other than edlin to change config.sys and autoexec.bat, but
           I forgot what program it was.  I think I used edlin only once or
           twice.
           \_ copy con c:foo.sys and then hit ctrl-z when done - paolo
              \_ The truly lazy hit F6. -geordan
2001/8/7 [Computer/SW/Security, Computer/SW/Unix] UID:22028 Activity:nil
8/7     How is it that whenever I sign into my hotmail account, MSN
        Instant Messenger some how starts and re-registers itself
        to execute at login, without it ever asking me for permission?
        \_ Error: incorrect operating system detected. Please try again.
2001/8/5 [Recreation/Food, Computer/SW/Security] UID:22008 Activity:high
8/4     What do most bio majors do once they've applied to med school for
        two years on a row and got rejected both times? Do most of them
        just end up in the food service industry like history majors do?
        \_ is the food service industry big enough for english, history, AND
           bio majors?
           \_ Don't forget philosophy, psychology, ethnic studies, women's
              studies, religious studies, mass comm, sociology, and poli sci.
                \_ No. Philosophy majors (unless going to law school), upon
                   graduation, immediately enter an eternal state of
                   unemployment.
              \_ Soylent green is made of people! You've got to tell them!
                 Soylent green is people!
        \_ I think many apply to med schools in other countries. And I
           got the impression that those doing bad enough to not even
           get into those have already changed majors by that point.
           \_ Agreed
              http://www.thinkgeek.com/images/zoom/despair-poster-stupidity.jpg
        \_ From what I understand, there are other options for bio majors
           besides med school.  Some go into grad school, some go into
           pharma, and some go into completely different career paths.
           Most of the ones I know, however, ended up in pharma.  -chaoS
2001/7/28 [Computer/SW/Security] UID:21980 Activity:high
7/27    In Applied Cryptography he basically comes out and says that IDEA
        is pretty much the cypher to use for max. security, but I keep hearing
        about this thing called AES that is "better". Anyone know where
        I can find a comparision of AES to IDEA in terms of the resitance
        to linear and differential crytanalysis.
        \_ from Schneier's mouth, he has no problem with AES/Rjendael; and
           things it should be used widlely.
           \_ Where did you hear this? AES isn't covered in ACv2. If there
              is a v3 I'd buy it just to read about AES.
              \_ See http://www.counterpane.com/crypto-gram-0010.html#8
                                        -- misha.
                 \_ Thanks this is perfect.
        \_ AC is somewhat out of date in this regard; I think IDEA isn't really
           a contender for use in new applications due to the patent and the
           fact that various newer ciphers are at least as good. I don't have
           any particular suggestions as to where to look for information
           beyond citeseer. --Galen
           \_ I had originally planned on (and still probably will) using
              either DES or 3DES (which ever I can get away with linking
              with without needing a export license). I was reading AC and
              found IDEA, which Schneier seemed to recommend. When I heard
              about AES I just wanted more info.
              Since I'm not an expert at this, I just wanted to read about
              how resistant AES is to known crytanalysis as compared to
              other cyphers. Anyway the above link had the info I needed.
2001/7/27-28 [Computer/SW/Security] UID:21977 Activity:low
7/27    Is there an easy way to use ssh-agent with KDM so that all my KDE
        processes can use my private key?
        \_ D00D U R 50 '1337 4 U51NG 57R0NG CRYP70! R U BL4CK H47 | WH173
           H47? 1'M S7111 R3D H47!
2001/7/24 [Computer/SW/Security] UID:21936 Activity:nil
7/24    Its probably a good thing we are running OpenSSH instead
        of that commerical version:
        http://www.ssh.com/products/ssh/exploit.cfm
        \_ There was a hole in openssh a month ago.  Get a clue.  -tom
           \_ But the whole was not in the *default* config, this
              is a hole in the standard config.
        \_ My read of this "hole" is that it takes a password of two or
           fewer characters to open it up.  Somehow, that doesn't have me
           quaking in my boots.  Still, thanks for pointing it out. --PeterM
           \_ Some of the daemon accounts on *nix systems have NP as
              the password in /etc/shadow.
2001/7/24 [Computer/SW/Security] UID:21921 Activity:nil
7/23    All .mil sites no longer accessible to public!
        http://abcnews.go.com/sections/world/DailyNews/militarycyberattack_010723.html
2001/7/23 [Computer/SW/Security, Computer/SW] UID:21915 Activity:moderate
7/23    How do big employers catch employees surfing porn sites?  Do they run
        software that checks employees' URL requests against a list of host
        names of known porn sites?  Or do they actually check the content
        being transmitted?  I don't think they'd hire an IT person to visually
        inspect every .JPG being transmitted, right?
        \_ i could require you to use a proxy to get out to
           surf the web, then i can just read the access logs and
           see you accessing the dirty pictures.  there's also
           expensive software out there that will catalog and
           present in a nice gui to your manager your web surfing
           habits.  i can't remember the names of any of them
           right now.  you don't need to hire an employee,
           there is software that sits on the router that will
           do all the above.
        \_ Yes, that is my job. I examine all your dirty little pictures
           and decide which ones to keep on file.
        \_ use sameer's filter
            \_ URL? Google came up mainly with his current business and
               techno music stuff.
2001/7/21 [Computer/SW/Security] UID:21894 Activity:nil
7/20    Anyone here using megapath, speakeasy or telocity for dsl?
        If so, is the service reliable? I'm trying to decide between
        these three, as they seem to be the best rated in the SJ
        area according to dslreports. I'm leaning toward telocity
        because its $49/mo (128/1.5), while the other two are about
        $89/mo for the same. (Price isn't really an issue, I'm willing
        to pay ~ $100 for reliable highspeed service, but if the
        service is the same, I might as well go with the cheaper one).
        \_ I have IDSL (144/144) through MegaPath; had it about a year.
           Their tech support is a little annoying to reach, but the
           people you talk to actually seem to have clue (so very,
           very rare).  I like them.  --dbushong
        \_ I have ADSL through Telocity and it was fairly reliable
           since my service was restored after the Northpoint disaster.
2001/7/19-20 [Computer/Networking, Computer/SW/Security] UID:21867 Activity:high
7/19    I want to host a basic website running on my home computer. Any
        recs on a DSL provider that will let me have my own domain, whose
        service doesn't suck, and is under $100/mo?
        \_ First world has a 192K/1.5M line for $69/mo. The line comes
        \_ Firstworld has a 192K/1.5M line for $69/mo. The line comes
           with two static IPs and they don't care what domain name you
           register for those IPs.
           Alternatively you could try sprintbroadband (wireless). The
           "line" is 256K/2M for $49/mo and comes with one static IP.
           You need line of site to Monument Peak though.
           \_ Hey genius, Firstworld is dumping their DSL customers on
              Earthlink with no guarantees as of August 31st, so...
              \_ Where did you read this? I can't seem to find it on
                 their web page, but if its true, I need to switch my
                 line soon.
        \_ http://Speakeasy.net
2001/7/18 [Computer/SW/Security] UID:21836 Activity:high
7/17    ranga, http://www.ssh.com/products/ssh/cert/vulnerability.html
        is 404 today, but was there yesterday.  What gives? - new guy #2
        \_ Take a look at:
http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html+ssh1+vulnerabilities+cert&hl=en (go google.  fight the power).
        \_ Actually all you really need is:
http://www.google.com/search?q=cache:xWSTNSCGxl8:www.ssh.com/products/ssh/cert/vulnerability.html
           Isn't web caching wonderful? I've also preserved a copy of just
           the text at: http://www.csua.berkeley.edu/~ranga/misc/sshv1.txt
           \_ Is it? http://www.google.com/search?q=cache:www.csua.berkeley.edu/motd
        \_ downright scary.
        \_ re ssh (not google cache) it seems that ssh1 is fine iff
           1. you do not use RC4
           2. you have valid host keys
           \_ There is also an intercept attack, but I'm not sure if
              that was covered in the cert stuff.
2001/7/18 [Computer/SW/Security] UID:21834 Activity:low
7/17    A Russian cryptographer was arrested in the US for giving talk on
        ebook security:
        http://www.planetebook.com/mainpage.asp?webpageid=165
        \_ Clever. The First Amendment only applies to Americans.
          \_ ... that don't violate copyrights, or tell you how to make
             bombs, or ....
2001/7/17 [Computer/SW/Security] UID:21822 Activity:high
7/16    I'm also new to the csua -but not as "social minded" as the previous
        poster.  What problems have you had using ssh1?  I hear ssh1 is
        very vulnerable to certain attacks, but I've never been able to
        get someone claiming this to point me to urls/papers about ssh1
        vulnerabilities.  Is it something inherent in the ssh1 protocol (but
        not in ssh2)?  Googling for "ssh1 vulnerabilities" doesn't seem to
        turn up much.
        \_ Not this all over again.
           \_ No. I don't want flammage about openssh vs ssh1 vs ssh2d.  I
              want facts and urls to papers.
        \_ Take a look at:
           http://www.ssh.com/products/ssh/cert/vulnerability.html
           It has a summary of the cert warnings associated with ssh v1.
           ----ranga
           \_ thank you! - OG poster
2001/7/11 [Computer/SW/Security] UID:21767 Activity:nil
7/12    evoice is going away.  any other service on the web out there
        like it?  - danh
        \_ http://onebox.com
2001/7/10 [Computer/SW/Security] UID:21753 Activity:moderate
7/9     I accidentally clicked on "remember my password".  How do I reverse
        this security mess?
        \_ click "forget"
        \_ what program?
           \_ internet explorer (application/login asked for it)
        \_ if it was "Remember my password" on a web page, delete your cookies.
           if it was the IE autocomplete thingie, Tools > Internet Options >
           Content > AutoComplete, uncheck the user/passwords box, click on the
           Clear Passwords button.
           \_ thx
2001/7/9-10 [Computer/SW/Security] UID:21749 Activity:high
7/9     W/ scp, is it possible to turn off encryption for a given data
        file while preserving encryption of the authentication process?
        (I'm sending a lot of large, nearly uncompressable files that
        aren't sensitive, and I just want to encrypt my password).
        \_ encryption != compression
        \_ Understood.  I was merely mentioning that to make it clear
           any sort of benefits gained from the data munging are nil.
           \_ But what do you expect to gain by turning off encryption?

today   What's the best way to turn a movie into MPEG?
        \_ http://www.tmpgenc.com
2001/7/9 [Computer/SW/Security, Politics/Foreign/Asia/Others] UID:21740 Activity:nil
7/8     Speaking of M$, Any thoughts on why MSFT can't seem to get their
        instant messanger service running?
          I would think that with a co like MSFT the backup redundency
        would basically mean they can crash the entire system and it
        would still work within a day when they activate the mirror
        service sitting in line india or something-- but they have just
        been dead for a week now...
2001/7/5-6 [Politics/Domestic/California, Computer/SW/Security] UID:21720 Activity:nil
7/5     http://www.securityfocus.com/templates/article.html?id=221
        \_ Computer security consultant and confessed cyber intruder
           Max Butler will serve out his 18-month prison term at the
           privately-run Taft Correctional Institution in central California,
           sources say.
2001/7/4 [Computer/SW/Security, Computer/SW/Unix] UID:21712 Activity:insanely high
7/4     I'm running win2k.  when i leave my computer alone
        for a while and I come back, I have to enter in my password
        to "unlock" it.  How do get rid of this?
        \_ M-X install-linux
        \_ disable the screen saver password.
         \_ no it's something else
            \_ works for me.  dunno what weird config you have.
        \_ Control Panel -> Power Options
        \_ Repartition, install !win2k.
2001/7/3 [Computer/Networking, Computer/SW/Security] UID:21706 Activity:nil
7/3     Metricom has declared bankruptcy:
        http://news.cnet.com/news/0-1004-200-6442868.html?tag=tp_pr
2001/6/30 [Reference/Law, Reference/Law/Court, Computer/SW/Security] UID:21688 Activity:nil
6/30    fuck amihotornot: http://www.ratemyrack.com
2001/6/28 [Computer/SW/Security] UID:21666 Activity:nil
6/28    I'm trying to SSH into a PIX box.  i've tried ssh -l "" HOSTNAME
        and that asks for the password for @HOSTNAME.  I would think
        this would work but it doesn't.  (the problem here being that
        the Cisco PIX just asks for a password not a username).
        What is the correct way to connect?
        \_ ssh -l <username> <hostname>
           \_ Maybe (s)he didn't want to reveal his remote login name to
              someone who can do a ps on the local host?
        \_ AFAIK you need to add a user to the PIX before it will allow
           you to login. - cisco alum
2001/6/19 [Computer/SW/Security] UID:21580 Activity:high
6/19    some fuck in russia the other day "found" a security hole in our
        system and sent us a letter that more or less said,
        "If you give me $150k I won't reveal this security
        hole to the public." Blackmail. One guy, some
        liberal dude, remained unconvinced that the intent was
        blackmail.  Should we call the FBI?
        \_ What can the FBI do in this situation?
        \_ Yes. FBI Special Agent Kevin D. Johnson has helped us in exactly
           this matter: +1 (415) 553-7400.
           \_ Why are seemingly all FBIs "special" agents? Are there actually
              regular agents?
              \_ Most field agents who interact with the public are special
                 agents. Whereas they have a supporting staff, such as lab
                 techs and etc. who are just agents. it's all on the FBI www
              \_ Why are the FBI folks called "agents", why not just "officers"
                 or "cops"?
                 \_ why are real estate agents called agents instead of
                    salesmen?
2001/6/19 [Computer/SW/Security] UID:21577 Activity:high
6/19    Here is another question for all you knowledgable crypto people.
        How bad is the ability of a PC to generate random numbers for
        cryptography?  Is this at all a limiting factor in PC based
        encryption?  If someone were to build a little box that made
        random numbers based on a physical process that was provably
        uncorrelated, would that interest people?
        \_ PC's running reasonable OS'es generate good random numbers. -tom
        \_ Depending on the sources of entropy used, a ordinary PC
           can generate sufficiently random numbers for use with
           cryptography. Look at how ssh does it for more info.
        \_ P3s can generate random numbers based on thermal noise, right?
           \_ I don't know.  There IS a thermal diode on it, but I'm not
              sure of the response time.  Actually, that might be an
              interesting little problem/implementation to do, since a
              lot of devices have thermal diodes these days, for over
              temperature protection.  -nweaver
2001/6/19 [Computer/SW/Security, Computer/Theory] UID:21573 Activity:high
6/18    I have a question about diffie-hellman. After going through the initial
        key exchange and generating the session key k', how do you use this key
        with 3des or blowfish? Do you just trucate the key to the appropriate
        length (doesn't seem right) or is there some other method?  tia.
        \_ Probably feed the key into a one way hash function (i.e. MD5) that
           outputs the appropriate number of bits.
           \_ This is correct.  You would use a hash function.  However, you
              should not use Diffie-Hellman straight, much the same as you
              should not use plain RSA.  Get a cryptography book and read
              about it.
              \_ Okay, I understand the bit about the hash function, but
                 I don't understand why the session key k' can't be used
                 directly? I've been referring to Applied Cryptography,
                 but I can't seem to find a place where he explains why
                 the session keys should not be used directly.
                 \_ Here's a hand-wavy argument:
                        Your DH key must be larger than your 3DES key since
                        otherwise it's easy to break DH.  This means that
                        you'll have to shrink your DH key to make your 3DES
                        key.  You want to make your 3DES key by using all of
                        the randomness that you've got in your DH key, but
                        you don't know if truncating the DH key will do this.
                        However, you DO know that using a good hash function
                        to make your 3DES key will conserve all of the
                        randomness of your DH key.
                        \_ I guess I wasn't clear. I understand that I
                           need to hash the session key in a way that
                           preserves the randomness of the key and that
                           I need to use the hash value as the key for
                           my crypto algorithm.
                           The bit I don't understand is related to the
                           following: I keep reading that one should use
                           the hashed value of the session key *only* for
                           encrypting a different secret key and then that
                           encrypted secret key should be transmitted so
                           that all other transmissions are encrypted with
                           the secret key rather than the hash of the
                           session key.
                           Why can't I just keep using the hash of the
                           session key? It seems much simpler to do this
                           than to maintain a separate secret key.
2001/6/14-7/20 [Computer/SW/Security] UID:21514 Activity:low
6/13    Note that sprint just cancelled ION- who the hell knew what ION was
        anyway???? They had all these commercials but never once showed the
        product or what it does.  Teledesic rocks!
        \_ I never saw an ION commerical, but I had read about it
           on several ng's. I was looking forward to migrating from
           1.5 DSL to ION, but I guess that's not possible now. BTW,
           the ION web page doesn't have any info on the cancellation,
           though the check for service now says that the service is
           unavailable in my zip code (it was available last week).
           Teledesic looks good, but they won't be in wide service
           till 2005. I considered WildBlue for a bit, but they
           don't seem like they are *nix friendly (PC/Mac only).
           That leased line is looking better all the time.
2001/6/12 [Computer/SW/Security] UID:21496 Activity:nil
6/12    Here's the bottom line: The RIAA wants to control all channels
        of distribution. For a user to access his own "private"
        collection may infringe upon the notion of "ownership." Meaning
        that by leaving those mp3s on an "open" (yes it is open because
        you have access to it outside of the LAN) network exposes the
        user to "potential" distribution infringement. http://mp3.com
        attempted something like this but the RIAA nuked that idea
        right out the water. The way it would have to work is if the
        RIAA forces the user to license each component of music that
        he/she has access to, regardless if they had, indeed, purchased
        it. Why? Because the RIAA can track that information still.
        How? Through the networking software. Tapes and CDs prove to be
        untrackable in terms of distribution but software is trackable
        especially over networks. As long as the RIAA can track their
        distribution, no user truly can have that sense of privacy. In
        terms of tapes and CDs, the RIAA would have to invade each
        suspected user's home and then provide a warrant to search
        their premise. That's ridiculous in terms of overhead.
        Networking software makes usage tracking simple. The idea won't fly.
        I might've been talking about mp3 cell phones that are
        distributed by sony a while back. The reason why those are
        novel (albeit not necessarily popular) is because 1) it's Sony
        and DoCoMo doing the distribution; 2) the method of transmission
        is done through the memory chip. The memory chip is portable
        and removable so it's effectively like copying onto a tape.
        Supposedly the new G4 technology being pushed by DoCoMo will
        have a Java client that gets streaming audio/video to your
        phone. If it does, you can guarantee those lines won't be
        private and if they are it'll be challenged in court. - keithyw
2001/6/1-3 [Computer/SW/Unix, Computer/SW/Security] UID:21404 Activity:very high
5/31    Does anyone have the login/pw for the private space at
        http://ign.com?  We shouldn't have to be paying for access..esp.
        things like the silent hill 2 full trailer.
             \_ Will somebody please provide a valid login/pass?  They
                fucking cut off the last Hideo Kojima interview on the
                subject of mgs2...damnit..that chafes my hide.
        \_ sign yer name -shac
           \_ oh come on. the rest of the motd wants to know too.
        \_ l: phil
           p: vahmifqy
        \_ They have to pay reporters, editors, webmasters, sys admins,
           electricity bills, network connection bills, and much more - why
           shouldn't you have to pay them back for some of it?  The dream of
           an advertiser-supported internet is dead - ads don't pay enough.
           \_ pay should be voluntary, like the PBS model.  If you like what
              you get, you should donate some cash, but you shouldn't have
              to pay before seeing the goods.
              \_ that's ridiculous.
              \_ Communism is dead, kid.
                 \_ YEAH, BECAUSE PBS IS AN EVIL COMMIE LIBERAL STATION.
                    \_ psb is a communist?
                 \_ This isn't communism.  If it were communism, everyone would
                    be forced to pay the government, and the government would
                    be funding and running everything.  Voluntary donations are
           than in a piece of shit rm or WMP format.  Is that too much to ask?
           Damn ign bastards...*sigh*
                    completely different.
                    \_ "You shouldn't have to pay before seeing the goods."
                       There is that "should" there that I don't like.  The
                       mentality seems to be that the consumer can dictate
                       to the producer their terms.  In a truly free society,
                       all contracts are voluntary.
                 for Linsux.
                       \_ what's wrong with that?  we're in a capitalist society
                          driven by consumerism; why shouldn't consumers dictate
                          what they want?
                          \_ because you're an idiot.  you don't get to decide
                             *after* you use something whether you want to
                             pay for it.  -tom
                             \_ you do if you have access to warez. long live
                                warez! cd images galore! i wonder when someone
                                will finally crack down on newsgroup piracy?
           \_ Property is theft!
       \_ regardless of what anyone agrees on,  login: phil
           p: vahmifqy  doesn't work.  Someone please provide a valid
           login/pw.  It's not like I can't get it at one of the
           other sites;  I'd just rather have it in quicktime format
           than in a piece of shit rm or WMP format.  Is that too much
           to ask? Damn ign bastards...*sigh*
           \_ COMMIE MAC USER!!!
              \_ QuickTime runs on Windows and there is even mov player
                 for Linux.
                  \_ The Windows Media Player much better than real, QT or
                     anything similar out there.
                     \_ WMP? Good? Surely you jest. AVI and ASF are total
                        POS. The quality is terrible and the playback
                        frequently hangs esp. if you try to stream a file.
                        QuickTime at least has decent stream and playback.
                         \_ I know not of AVI/ASF.  What i know is that
                            when i play the SAME file with REAL it looks
                            like crap, when i play it with WMP it looks good.
                            \_ you need to study harder. the correct answer
                               is "M$ SUC|<Z U53 L1NUX!" and not worry about
                               whether something works for you or not.
2001/5/26-28 [Computer/SW/Security] UID:21366 Activity:insanely high
5/25    If IPv6 encrypts everything (IPSec) as part of the standard, does this
        mean protocols like ssh would no longer be required?  Will IPv6 allow
        telnet and ftp and other cleartext password protocols to live on?
        What use would there be for ssh if IPv6 was everywhere?
             \- i realize i am "begging the hypothetical" but the "if ipv6
             was everywhere [and interoperating nicely, with reasonable key
             management, and transparancy]" is a pretty big if. "if ksh does
             everything sh does and more, why do we still have sh?" etc. --psb
                \_ It's a good question.  I think the answer is mostly just
                   inertia and history.
        \_ there will always be a need for application-level security
           \_ What does ssh do for me that ipsec doesn't?  IPv6 encrypts, it
              compresses, QoS, and lots of other funs things.  What does ssh
              get me in a pure IPv6 world? (Yes, I know this will take a while
              to happen, that's not my query).  Don't get me wrong.  I love
              ssh and use it for all sorts of stuff.  I'm just not seeing a
              big role for it in IPv6.
              \_ Authentication?
                 \_ I think a telnet prompt with memorised password is better
                    auth than the keys-on-disk ssh standard auth.  I can steal
                    your private key.  I can't read your mind.
                \_ you can require a key on disk, and protect the
                   key with a passphrase
                    \_ Is stealing someone's private key easier than reading
                       their password out of the password file?
                        \_ Yes.  And can be more useful.
                    \_ Of course -my- private key is encrypted. Go ahead and
                       steal it. As for memorized password, it can be easily
                       stolen as well with a use of a trojaned client or
                       server, and I have seen this happen many times.
                        \_ So you unencrypt your key before each use?  Uh huh.
                           If the server or client is trojaned all is lost
                           anyway so it hardly matters what you use at that
                           point, does it?
                           \_ This is not true in general.  It's easy to
                              authenticate yourself without revealing
                              your private key.
                           \_ Yes, man ssh-agent. And if your are not using
                              ssh-agent, then yes, you need to decrypt the
                              key every time you use it. Ssh client does this
                              for you. And yes, this is more secure because
                              you don't have to send neither your password
                              nor your private key to the remote ssh server.
                                \_ I think you don't understand how ssh-agent
                                   or ssh itself works.  ssh-agent is a local
                                   key manager that makes it so you don't have
                                   to retype your passphrase over and over for
                                   each new connection.  Nothing more.  I'd
                                   like to hear your explanation of how it
                                   auths to the server without sending any
                                   info.
                                   \_ do you even know what PKI means?
                                      \_ Same question: how are you doing auth
                                         without sending someone something?
              \_ i was speaking more broadly, e.g. SSL too.  the main use
                 of app-level security is authentication and integrity
                 of data between app-level (not system-level) principals.
                 \_ Is something like app-level ssl necessary when the
                    underlying protocol (IPv6 in this case) deal with it?
                    \_ yes, particularly for distributed systems. not
                       only are there app-level principals that are not
                       known at the system level to auth/authz, but
                       you also want to reduce the extent of damage when
                       one part fails.
        \_ Agent system, agent forwarding, x11 forwarding...
        \_ BTW, IPSec has nothing to do with IPv6.  Implementations of both
           for *BSD systems happen to be codevelped by the same people
           (kame.net), but IPv6 !=, is not a superset of, does not imply,
           whathaveyou, IPSec.
           \_ Well, true, but what I read implied that IPv6 is assumed to use
              IPSec by default.
2001/5/17 [Computer/SW/Security] UID:21299 Activity:nil
5/16    OpenSSH 2.9 is released! And it supports rekeying, and all those other
        ssh2 features that people have been bitching about. When's soda going
        to upgrade?
        http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98883939725585&w=2
        \_ Only tom's been bitching, the rest of us use OpenSSH and have no
           problems.
           \_  I have problems using OpenSSH. I keep getting these constant
               stream of emails from some guy named Tom Holub telling me to
               switch.
        \_ Hm, I suppose I should look into that upgrade to 2.5.2p2 that
           someone suggested a while back. --root
        \_ What's wrong with openssh?  I'm using it and it works perfectly.
           \_ unless you are tom there is no problem
           \_ Prior versions of opensshv2 sucked when connecting to the non
              "open"ssh. even openssh2.5. I'm happy to report thta 2.9 has
              fixed my (20-40)-second delay problems.
2001/5/16-17 [Computer/Networking, Computer/SW/Security] UID:21289 Activity:moderate
5/15    http://edge.mcs.drexel.edu/GICL/people/sevy/airport/128bit.html
        (How to get 128-bit encryption from your Airport base station)
        \_ too bad you cant get 128bit from the builtin airport interface
           on their laptops. --jon
        \_ Rumor has it that 802.11b (including AirPort) are going
           to 54mbps w/128bit encryption in the coming months.
           Also, above url states AirPort has 64bit encryption,
           which is wrong, it's 40bit, which everyone knows
           you can pretty much break on the fly with your laptop
           and a little reciever.
           \_ 802.11b will never be 54 MBit. 802.11a will be. Its
              scheduled to be released in the fall/winter of this
              year.
              Most people say that you will probably need a new
              Airport card, but that you can probably upgrade
              your base station.
       \_ Uh, wtf is the point?  The Gold and Silver levels of 802.11b
          encryption have both been cracked.  Run IPsec with however many
          bits you want...
          \_ Its not "encryption" is Wireless Equivalent Privacy. The
             protection it provides is the same as what cat5 cable
             provides. No more, no less.
2001/5/6-7 [Computer/SW/Mail, Computer/SW/Security, Computer/SW/Unix] UID:21182 Activity:high
5/6     any web-based newsgroup posting sites out there now?
        deja/google not allowing at the moment...please advise?  thanks.
        \_ http://www.mailandnews.com
2001/4/30-5/1 [Computer/SW/Security] UID:21152 Activity:kinda low
4/30    ForwardX11 is set to "yes" in my sshd2_config file (and was by
        default so i assume support was compiled into the default Fsecure
        ssh2 install that i have), but my DISPLAY is NOT being set upon
        connecting.  What could be wrong?
        \_ That's ForwardX11 not ForwadX11.
           \_ fixed.  It is spelled right in the conf file.
        \_ the remote sshd may not itself support X11 forwarding.
2001/4/30-5/1 [Computer/SW/Security, Computer/SW/OS/FreeBSD] UID:21147 Activity:high
4/30    And you though OpenBSD was strict about long hard to
        forge passwords:
        http://support.microsoft.com/support/kb/articles/q276/3/04.ASP
        \_ And the fun part is what happens when your admin account hits
           this fun little bug and you can't login to run the patch? FUCKED.
        \_ 03/08/2001  06:43p  5.0.2195.3351  331,536  Msgina.dll
           Software named after an SO?
           \_ Maybe but GINA actually stands for something.  This isn't to
              say some random MS lackey didn't come up with something to fit
              the letters though.
              \_ Global Integer Non-Assigned for those of you who
                 don't speak hungarian
                 \_ Thanks.  I was too lazy to look it up but I'm sure it was
                    on google.
2001/4/25 [Computer/SW/Apps/Media, Computer/SW/Security] UID:21107 Activity:nil
4/25    http://news.cnet.com/news/0-1005-200-5726313.html?tag=tp_pr
        We should develop tech like this for the motd. Have a phantom
        "virtual sodan" bot that answers the dumb questions, and emits
        the obligatory RIDE BIKE and 'use google' remarks, and occasionally
        fetches useful info.
        \_ That's pretty useful for spreading rumors when you short a stock.
           \_ You mean getting sued and ruining your life?
        \_ It should also periodically initiate an Asian Chix post,
           post some obligatory trolls, insult tom, and accidentally
           overwrite some posts...just like a real person.
2001/4/25 [Computer/SW/Security] UID:21100 Activity:high
4/25    Where can I get the web based ssh stuff soda is running?  I want to do
        the same thing at home to get around some workplace lame network setup
        issues.  Thanks.
        \_ /usr/local/www/htdocs/ssh
        \_ or dl it  from mindbright yourself:
                http://www.mindbright.com./products/mindterm
        \_ you do realize that it's just an ssh client in java, right?  it's
           not ssh over http or anything, so if your network doesn't allow
           ssh packets to go through, it won't help you.
           \_ That can easily be remedied by having sshd listen to a port
              that the firewall allows instead of 22.
                \_ Ok, I dug further into it (I'm remote so this is all through
                   email with the other person) and it appears they're doing
                   http proxying.  Nothing goes directly out.  The workstation
                   IP is 10.x.y.z.  There is a unix box though, so I'm having
                   them install sshd on that, running it on a high port, and
                   then doing ssh NT->unix->home.  The unix box has a real IP
                   but only runs telnetd right now.  You were right about the
                   mindbright stuff not being what I wanted.
           \_ Hmmm... didn't know that.  I'll have to check it out.  Thanks
              for all the links and paths.
        \_ Ok, I found httptunnel.  There's source, RPMs and a windows binary.
           Thanks for the help and info.  Anyone bored is welcome to delete
           this thread.
2024/12/25 [General] UID:1000 Activity:popular
12/25   
Results 301 - 450 of 1108   < 1 2 3 4 5 6 7 8 >
Berkeley CSUA MOTD:Computer:SW:Security:
.